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Abstract 

A general automaton model for timing-based systems is presented and is used as the 
context for developing a variety of simulation proof techniques for such systems. These 
techniques include (1) refinements, (2) forward and backward simulations, (3) hybrid 
forward-backward and backward-forward simulations, and (4) history and prophecy 
relations. Relationships between the different types of simulations, as well as soundness 
and completeness results, are stated and proved. These results are (with one exception) 
analogous to the results for untimed systems in Part I of this paper. In fact, many of 
the results for the timed case are obtained as consequences of the analogous results for 
the untimed case. 
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1 Introduction 

Most of the existing semantic models, languages and logics for describing and reason- 
ing about timing-based systems implicitly view an execution as an alternating sequence 
of instantaneous "discrete" actions and "continuous" phases during which time advances 
[2, 5, 7, 8, 9, 11, 14, 17, 20, 25, 26, 27, 48, 50, 52, 54, 61, 62]. To each system described in 
any of these formalisms one can associate a transition system or automaton consisting of (1) 
a set of states, (2) a set of initial states, (3) a set of discrete actions, (4) a set of discrete 
steps s 1 -<=P-» s asserting that "from state s' the system can instantaneously move to state s via 
the occurrence of the discrete action a", and, finally, (5) a set of time-passage steps s' •£$->■ s 
asserting that "from state s' the system can move to state s during a positive amount of 
time d in which no discrete action occurs". 

These transition systems provide a very abstract view of the behavior of the original 
system in which many aspects, such as the number of parallel components, the communi- 
cation between these components, the way in which a system evolves during the continuous 
phases, etc., are no longer represented. Also, they are in general highly infinite and may 
even have uncountable state spaces. Nevertheless, it is clear that these transition systems 
play a central role in the theory of timing-based systems: 

• Many important behavioral preorders and equivalences, for instance those based on 
traces, failure pairs and bisimulations, can be defined in terms of states and transitions. 
Thus transition systems contain enough information to dehne what it means that one 
system implements or is equivalent to another system. Also, the transition systems still 
contain enough information to serve as models for many temporal and modal logics, 
i.e., they can be used to dehne what it means that a system satisfies a formula. 

• Many simulation proof techniques for verification of implementation and equivalence 
relations between timing-based systems can be defined and studied at the level of 
transition systems. 

• Transition systems provide an excellent framework for comparing and interrelating a 
wide variety of different formalisms for timing-based systems. Moreover, since they also 
play a central role in the "comparative semantics" of untimed discrete event systems 
[18], they provide a basis for comparing timed and untimed formalisms. 

In this paper, we dehne a formal transition system model for timing-based systems and use 
it to develop a variety of simulation proof techniques. The key characteristic of the transition 
systems discussed above is the presence of time-passage steps and the specific interpretation 
of these steps. The transition systems always satisfy the following two properties. First, if 
time can advance by a particular amount d in two steps (with no intervening discrete steps), 
then it can also advance by d in a single step. And second, if time can advance by d in 
one step from state s' to state s, then there exists an assignment (a trajectory) that maps 
all times in the interval [0, d] to automaton states in a "consistent" way to explain how the 
system evolves from s' to s. This motivates our formal definition of a timed automaton as 
an automaton (in the sense of Part I) whose set of actions includes the set R + of positive 
reals, and which satisfies the above two properties for time-passage. We believe that timed 



automata, denned in this way, provide an excellent basis for denning and studying behavioral 
preorders and simulation proof techniques for timing based systems. Since timed automata 
can be viewed as an underlying semantic domain for any of the models, languages and logics 
of [2, 5, 7, 8, 9, 11, 14, 17, 20, 25, 26, 27, 48, 50, 52, 54, 61, 62], all the results that we obtain 
for timed automata carry over directly to those settings. 

For convenience, we use R + as our domain of times in this paper. The need for dense- 
time models has been well discussed in [4]. However, for the purpose of generality we could 
have parameterized our timed automata by an arbitrary (possibly discrete) time domain in 
the sense of [27, 53, 28]. We do not assume a general lower bound on the time between 
events, or an upper bound on the number of instantaneous actions; this choice is also made 
in e.g., [7, 2, 9, 25, 48, 53, 61], but still distinguishes our model from many others, e.g., 
[11, 17, 20, 50, 52, 55, 62]. The cost of this generality is that our timed automata may 
produce some annoying "Zeno executions", i.e., infinite executions in which the sum of the 
time-passage actions is bounded. 

In order to dehne correctness for timed automata, we dehne two notions of external 
behavior. First, as the hnite behaviors of a timed automaton, we take the finite timed traces, 
each of which consists of a hnite sequence of timed visible actions together with a hnal time 
of observation. Second, as the infinite behaviors, we take the admissible timed traces, each of 
which consists of a sequence of timed visible actions that occurs in some execution in which 
the time grows unboundedly (i.e., a "non-Zeno" infinite execution). In [16] it is argued that 
inclusion of hnite and admissible timed traces is a good notion of implementation, provided 
that the implementation automaton has a sufficiently rich collection of admissible executions. 

Inclusion of hnite and admissible timed traces is implied by inclusion of hnite and infinite 
traces (if we consider the R + actions as external/visible). Consequently all the simulation 
proof techniques that we developed in Part I are still "sound" for proving inclusion of timed 
traces, in the sense that if one has established a simulation between timed automata A and 
B it follows that the timed traces of A are included in those of B. However, "completeness" 
is lost in the sense that it may occur that the timed traces of a timed automaton A are 
included in those of a timed automaton B } but that there exists no simulation from A to 
B } not even if it is allowed to use auxiliary intermediate timed automata. One reason for 
this is that several of the constructions that were used in the proofs of completeness results 
in Part I, such as the canonical automaton and the unfolding, do not yield timed automata 
in general. Also — and this is much more serious — inclusion of timed traces differs from 
inclusion of traces in the case of systems with internal actions. 

Example 1.1 Let A be the timed automaton that performs no discrete actions but just lets 
time advance: the set of states of A is R-°, with the initial state, and there is a step t — > t + d, 
for each t £ R-° and d £ R + . Let B be the timed automaton that behaves exactly as A, except 
that it performs an internal r-step at time 1: the set of states of B is R-° x {T, F}, with (0,T) 
the initial state, and there are steps 

• (t, T)^(t + d, T), for each t £ R^° and d £ R+ with t + d < 1; 
. (1,T)^(1,F); 

• (t, F)^(t + d, F), for each t £ R^° and d £ R+. 

Then A and B have different sets of traces since A has a trace consisting of the single (time- 
passage) action 2, which B does not have. 



In our opinion, this example shows that traces are not the right notion of behavior for 
timed automata: through the absence of certain traces with large time-passage steps the 
presence of certain internal actions in the system is revealed, and thus internal actions are 
not truly invisible. Internal actions have received proper attention in the context of process 
algebras based on bisimulation or failures, and thus the two systems of Example 1.1 are 
identified in the approaches of (for instance) [30, 55, 14]. In models based on linear time 
semantics, however, internal (or stuttering) actions have largely been ignored. Abadi and 
Lamport [2] advocate the use of untimed trace inclusion (logical implication in TLA) as an 
implementation relation for timed systems. Although this "old-fashioned recipe" works in 
many practical cases, the two systems of Example 1.1, which can easily be translated to the 
state-based setting of [2], indicate that it cannot be used in general, and that a serious effort 
is required to fully adapt existing formalisms for untimed systems to the timed setting. 

Simulation methods have long been used successfully for the verification of untimed con- 
current systems. In Part I of this paper [44], we gave a unified, comprehensive presentation 
of simulation techniques for untimed systems, including refinements, forward simulations, 
backward simulations, forward-backward and backward-forward simulations, history and 
prophecy relations. We showed relationships among the different types of simulations and 
soundness and completeness theorems. Part I also contains pointers to examples of uses of 
simulation methods for verification. 

Because simulations have been so successful for untimed systems, we believe that they 
will also prove to be successful for timed systems. (Considerable evidence for this is described 
below.) Thus, in writing Part II of this paper, our goal has been to define timed versions of 
all the simulations in Part I (timed refinements, timed forward simulations, etc.) in terms 
of timed automata, and to establish the timed versions of all the soundness, completeness 
and other results of Part I. 

The definitions of all of our timed simulations are analogous to the definitions of the 
corresponding untimed simulations in Part I, but are based on our new notions of external 
behavior. It turns out that the results for timed simulations are almost entirely analogous 
to those for the untimed simulations (even though it requires considerable effort to prove 
this). In fact, in many cases, we are able to derive the results for timed simulations as 
consequences of the results for untimed simulations. In the remaining cases, new proofs 
analogous to those in Part I are presented. Our presentation highlights the adaptability of 
the various simulation techniques from the untimed to the timed setting. There is just one 
minor result from Part I, Proposition 3.12, that does not carry over to the timed setting. We 
remark that we found the definitions involving timed automata and their simulations quite 
difficult to get "right". These definitions involve many choices, most of which do either lead 
to longer proofs or do not yield all the properties in this paper. The problem to develop 
a theory of timed transition systems and timed simulations with analogues of all results of 
Part I is still open. 

This paper does not contain examples of verifications carried out using timed simulations. 
However, our timed simulations have already been used extensively elsewhere [12, 23, 32, 
34, 35, 36, 37, 38, 45, 58, 60]. The algorithms and systems verified in these papers include 



toy examples such as counters and process races, as well as substantial real examples such 
as a clock-based at-most-once message delivery protocol, a clock synchronization algorithm, 
two mutual exclusion algorithms, a leader election algorithm, and a communication protocol 
used in a consumer electronics system. They also include a toy process control example 
involving control of a railroad crossing gate. An interesting feature of these proofs is that 
the simulations have been used not only to prove "ordinary" safety properties, as in the 
untimed setting, but also to prove timing properties, e.g., upper and lower bounds on time. 
In this way, the power of simulation techniques seems to be much greater in the timed 
setting than in the untimed setting. Also, the systems verified are typically parameterized 
by arbitrary parameters representing process speeds, message delivery times, clock rates, 
etc., so that the results are very general. In [35, 19], three of the proofs are automated using 
the Larch Prover [22]. 

We consider the main contributions of this paper to be the following, (a) The definition 
of a timed automaton and of its external behavior, (b) The extension of simulation notions 
for untimed systems to the timed setting, (c) The unified presentation of all the simula- 
tion techniques together with their basic soundness and completeness properties, (d) The 
presentation of many auxiliary definitions and results, for instance about sampling of com- 
putations, timed forests, timed unfolding, a timed version of the historization construction 
of [29], etc. (e) The fact that our presentation parallels, and is based closely on, a similar 
development for untimed systems. 

The rest of the paper is organized as follows. Section 2 contains the definitions for 
timed automata and their executions and traces. Section 3 contains some definitions and 
results for restricted types of timed automata. Section 4 discusses the structures that can 
be obtained as the behaviors of timed automata. Section 5 contains the definitions of all the 
timed simulations. Sections 6 and 7 contain the major results of the paper - the relationships 
among the timed simulations and the soundness and completeness results. Section 6 contains 
those results that are derived from corresponding results for the untimed case, while Section 7 
contains those results that require new proofs, in particular, the construction of auxiliary 
(intermediate) timed automata. Section 7 also contains the single example of a result from 
Part I that does not carry over to the timed setting. Section 8 describes how invariants can 
be included in the simulations. Finally, Section 9 contains some conclusions. Appendix A 
contains a discussion of some alternative axioms for timed automata, and Appendix B gives 
a glossary of notational conventions that we use. Because of the strong dependence of this 
paper on Part I [44], we have not tried to write this paper in a self-contained manner. Thus, 
we employ freely the notation and definitions of Part I, and refer in many places to the 
results from Part I. 



2 Timed Automata and Their Behaviors 

In this section, we present the timed automaton model. We define "timed executions", which 
describe how timed automata operate, and "timed traces", which describe their externally- 



visible behavior. A timed execution includes information about discrete changes to the 
automaton's state, plus information about the evolution of the state as time passes contin- 
uously. 

Since timed automata are a special case of the (untimed) automata defined in Part I 
of this paper [44], the notions of "execution" and "trace" for untimed automata also make 
sense for timed automata. We relate the notions of execution and timed execution for a 
timed automaton: an execution can be regarded as "sampling" the state information of a 
timed execution at a countable number of points in time. Also, we relate the notion of trace 
and timed trace. 

2.1 Timed Automata 

A timed automaton (or timed transition system) A is an automaton (as defined in Part I) 
whose set of actions includes R + , the set of positive reals. 1 Actions from R + are referred to as 
time-passage actions, while non-time-passage actions are referred to as discrete actions. We 
let d, d' , . . . range over R + and more generally, t, t', . . . over the set R-° U {00} of nonnegative 
real numbers plus infinity. The set of visible actions is defined by vis (A) = ext(A) <^R + . In 
this part of the paper, A,B,... will range over timed automata. We assume that a timed 
automaton satisfies two axioms. 

SI If s' <£+ s" and s" 4U s, then s' ^ s. 

For the second axiom, we need an auxiliary definition of a trajectory, which describes the 
state changes that can occur during time-passage. Namely, if I is any left-closed interval of 
R-° beginning with 0, then an I-trajectory is a function w : I — >■ states (A) such that 



w 



(t) #4 w(t') for all t,t' £ I with t < t' . 



Thus, a trajectory assigns a state to each time in the interval /, in a "consistent" manner. We 
dehne w.ltime, the "last time" of w, to be the supremum of /. In particular, if I is an infinite 
interval then w.ltime is 00. We dehne w.fstate to be w(0), and if I is right-closed, we also 
dehne w.lstate to be w(w.ltime). A trajectory with a domain that is the single-point interval 
[0,0] is also called a trivial trajectory. A trajectory for a step s' •$4-> s is a [0, J] -trajectory 
such that w.fstate = s' and w.lstate = s. Now we can state the second axiom. 

S2 Each time-passage step s' •$4-> s has a trajectory. 

Axiom SI allows repeated time-passage steps to be combined into one step. Axiom S2 is a 
kind of converse to SI; it says that any time-passage step can be "filled in" with states for 
each intervening time, in a consistent way. 



^he decision to use only positive reals as time-passage actions is a matter of taste. We could have 
allowed for a 0-action with as additional axiom 

SO s' — > s if and only if s' = s. 

However, we would like to distinguish the discrete action r from the time-passage action 0, both for conceptual 
and technical reasons: the definitions of several process algebraic operations on timed automata, as discussed 
in [42], become much more involved if r's are treated as time-passage actions. 



In the modelling of hybrid systems, trajectories are often used to describe the evolution 
of physical parameters such as position, velocity, acceleration, temperature, and pressure. In 
such cases, each trajectory w is describable as a continuous function of time. Several models 
for hybrid systems [47, 6] include the assumption that trajectories are continuous. However, 
besides the model of this paper there are also models that do not include such an assumption 
[51], and in fact we do not need continuity of trajectories for our results. 

Axiom S2 is a strengthening of a similar axiom proposed by Wang [61] and used in 
[42, 53], which, rephrased in our terminology, reads: 

S2' If s' <=i^ s and < d' < 7, then there is an s" such that s' <^H s" and s" ^ s. 

The stronger condition seems natural to us — for example, it provides a direct way of 
modelling changes in physical parameters in a hybrid system. Besides, we need it for some 
of our results, for instance, Lemma 3.4. In Appendix A, we discuss the relationship between 
axioms S2 and S2' in more detail and show that S2' does not in general imply S2. 

It is possible to combine two "compatible" trajectories of a timed automaton A into one: 
if wi is an Ji-trajectory, where 7i is right-closed, if w 2 is an 7 2 -trajectory, if W\.lstate = 
w 2 .f state, and if we let l\ = W\.ltime, then we can define w^ ■ w 2 to be the least function w 
such that: wit) = w\{t) for t £ 7i, and wit + /i) = w 2 (t) for t £ 7 2 . 

Lemma 2.1 If w = Wi ■ w 2 then w is an I -trajectory, where I = 7i U {t + l\ \ t £ 7 2 }. 

Proof: Choose t, t' £ 7 with t < t'. We show that w(t) 4^4 w(t'). If t' < / x , this follows from 
the fact that w^ is an 7i-trajectory, while if t > /i, this follows from the fact that w 2 is an 
72-trajectory. 

The remaining case is where t < l\ < t' . In this case, the fact that w\ is an 7i-trajectory 
implies that w\{t) 4M- W\.lstate, which implies that wit) 4^ w\.lstate. Also, the fact that w 2 
is an 7 2 -trajectory implies that w 2 .fstate 4^4 w 2 (t'^li) } which implies that w 2 .fstate 4^4 wit'). 
Since W\.lstate = w 2 . /state, axiom SI implies that w(t) <&4 w(t'), as needed. I 

Likewise, we may combine a countable sequence of "compatible" trajectories into one: if 
Wi is an 7,-trajectory, for each positive integer z, where all 7 8 - are right-closed, if Wi.lstate = 
Wi + i.fstate and if we let /; = Wi.ltime, for all z, then the infinite concatenation w^ ■ w 2 ■ w 3 . . . 
is defined to be the least function w such that wit + E J<8 7j) = Wiit) for all t £ 7 8 -. 

Lemma 2.2 Ifw = Wi-w 2 -w 3 . . . then w is an 1 -trajectory , where I = {j i {t-\-Yj 1< il : j | t £ 7 8 }. 

2.2 Timed Executions 

Since a timed automaton is a special case of an automaton (as defined in Part I), we already 
have a notion of execution for timed automata; an execution is an alternating sequence of 
states and actions (including time-passage actions as a special case), subject to the natural 
consistency constraints. However, this type of execution only describes the system state at 
a countable number of points in time. Since our trajectory axiom gives us the ability to 
associate states with all the real times occurring during a time-passage step, we define a 
notion of timed execution, which includes such information. The usual kind of execution can 
be regarded as "sampling" a timed execution at countably many points in time, as we show 
in Section 2.4.2 below. 

7 



2.2.1 Basic Definitions 

A timed execution fragment of a timed automaton A is a finite or infinite alternating sequence 
W = w aiWia 2 w 2 • • •, where: 

f . Each Wi is a trajectory and each a 8 - is a discrete action. 

2. If W is a finite sequence then it ends with a trajectory. 

3. If Wi is not the last trajectory in W then its domain is a right-closed interval and 
Wi.lstate ^4- Wi +i .f state. 

An execution fragment describes all the discrete changes that occur, plus the evolution of the 
state during time-passage steps. The last property says that each pair (u;,-, u>;+i) of successive 
trajectories in the fragment "matches up" properly, in that the intervening discrete action 
a 8+ i spans properly between the last state of W{ and the hrst state of u>;+i. 

Note that the definition of a timed execution fragment allows the modelling of consecutive 
discrete actions, without intervening time-passage. In this case, the trajectory between the 
two discrete actions is trivial. 

If W is a timed execution fragment then we let W.ltime denote YnWi.ltime. Note that 
we allow the case where the domain of the final trajectory is of the form [0, oo); in this case, 
W.ltime = oo. We define the hrst state of W, W.f state, to be wq. f state. A timed execution 
is a timed execution fragment W for which W.fstate is a start state. 

Note that the super-dense computations of [47] correspond closely to our timed execu- 
tions. 

2.2.2 Finite, Admissible and Zeno Timed Executions 

In this paper, we will be interested in certain subclasses of the set of timed executions: the 
finite, admissible and Zeno timed executions. The distinctions involve whether or not time 
passes to infinity, and whether an infinite or finite amount of activity occurs. Thus, we define 
a timed execution fragment W to be 

1. finite if W is a finite sequence and the domain of its final trajectory is a right-closed 
interval, 

2. admissible if W.ltime = oo, and 

3. Zeno if W is neither finite nor admissible. 

If TT^ is a finite timed execution fragment with final trajectory Wi, then W.ltime is finite. 
In this case, we define W.lstate, the last state of a, to be Wi.lstate. We define a state s to 
be t-reachable in timed automaton A provided that there is a finite timed execution W such 
that W.lstate = s. The following fact follows directly by axiom S2. 

Lemma 2.3 A state s of a timed automaton A is t-reachable if and only if it is reachable, 
i.e., there is an ordinary finite execution of A that ends in s. 



An important implication of Lemma 2.3 is that any technique that can prove that a property 
holds for all final states of (ordinary) finite executions is a sound technique for proving that 
a property holds in all t-reachable states of a timed automaton. In particular, induction on 
the steps of ordinary executions is sound in this sense. 

If W is a finite timed execution fragment with final trajectory Wi, W is a timed execution 
fragment with initial trajectory w' , and Wi.lstate = w' .f state then we define W • W to be the 
timed execution fragment obtained by concatenating the sequences W and W, except that 
the consecutive pair of trajectories W{ and w' is replaced by W{ ■ w' . Lemma 2.1 implies that 
W • W is in fact a timed execution fragment. If W and W are timed execution fragments, 
then define W to be a t-prefix of W, denoted by W ^ W, if either W = W } or else W is 
hnite and there exists a timed execution fragment W" such that W • W" = W . Relation ^ 
is a partial ordering on timed execution fragments. 

The admissible timed execution fragments are those in which time passes without bound. 
Since (we believe) time does pass without bound in the real world, it is reasonable to restrict 
attention to the admissible timed executions when arguing the correctness of a system rep- 
resented as a timed automaton. In this paper, we focus on the admissible and hnite timed 
executions, and mostly ignore Zeno timed executions. We denote by t-frag*(A) } t-frag 00 (A) 
and t-frag(A) the sets of hnite, admissible and all timed execution fragments of A. Similarly, 
we denote by t-execs*(A) } t-execs°°(A) and t-execs(A) the sets of hnite, admissible and all 
timed executions of A. 

The notion of admissibility is the only notion of liveness that we include in our model. 
Many untimed automaton models (e.g., [40, 46, 31]) include facilities for describing rich 
classes of liveness properties, for example, various notions of fairness. In the timed setting, 
it is often possible to replace liveness notions with corresponding timing restrictions. These 
can be expressed by restrictions on time-passage steps, so they do not require any special 
machinery. The notion of admissibility is in some sense more tractable mathematically than 
some other liveness notions, e.g., the notion of a "fair execution" in the I/O automaton 
model [40]. This is because the admissible timed executions of a timed automaton can be 
expressed as the limits of infinite sequences of hnite timed executions. 

Proposition 2.4 The admissible timed executions are exactly the limits of the infinite se- 
quences of finite timed executions, where each timed execution in the sequence is a t-prefix 
of the next and the Atime values approach oo. 

The characterization in Proposition 2.4 permits the reduction of questions about infinite 
behaviors to questions about their hnite prefixes. A similar reduction is not possible in 
untimed models that incorporate fairness. 

One could extend the timed automaton model presented here by adding other liveness 
properties. Such an extended model is defined, and its properties explored, in [32, 58, 16]. 
In [32, 58], the extended model is also applied to substantial communication examples. 

Zeno timed executions are a technical anomaly; they represent an infinite amount of 
activity occurring in a hnite amount of time, which is (we believe) impossible in reality. 
Nevertheless, our definition of timed automata does admit Zeno executions. There are two 
types of Zeno timed executions in our model: 

1. those containing infinitely many discrete actions, but for which Atime is hnite, and 



2. those containing finitely many discrete actions, but for which the domain of the final 
trajectory is a right-open interval with a finite supremum. 

For this second type of Zeno timed execution, the "infinite amount of activity occurring in 
a finite amount of time" corresponds to an infinite number of time-passage steps needed to 
span the final interval. 

According to our definitions, there are timed automata in which from some (or even all) 
states no admissible timed execution fragment is possible. This can be, for instance, because 
from these states time can continue advancing, but not beyond a certain point (that is, 
all timed execution fragments starting from these states are Zeno), or because time cannot 
advance at all (that is, a time deadlock occurs). Our model does allow time deadlocks. 
However, in several of our theorems we will require that the timed automata be "feasible": 
a timed automaton is feasible provided that each finite timed execution is a t-prehx of some 
admissible timed execution. 2 A feasible timed automaton does not have time deadlocks, 
but it will have Zeno timed executions, simply because each feasible timed execution has 
t-prehxes that are Zeno timed excutions. 

2.3 Timed Traces 

Since a timed automaton is an automaton (as defined in Part I), we already have a notion 
of trace for timed automata. However, the traces of timed automata do not provide a 
sufficiently abstract notion of external behavior for timed automata, because they do not 
reflect the invisible nature of time-passage actions (see Example f.f in the introduction). 
In this subsection, we define a new notion of external behavior for timed automata, which 
we call timed traces. These do not include explicit time-passage events, but do include 
information about the real time of visible events, as well as the final time up to which the 
observation is made. 

We hrst define the auxiliary technical notion of a timed sequence pair, a general data 
type that is used in the definition of a timed trace. 

2.3.1 Timed Sequence Pairs 

Let K be any set with K D R + = 0. Then a timed sequence over K is defined to be a (finite 
or infinite) sequence 8 over K X R-° in which the time components are nondecreasing, i.e., 
if (k } t) and (k',t') are consecutive elements in 8 then t < t' . We say that 8 is Zeno if it is 
infinite and the limit of the time components is finite. 

A timed sequence pair over K is a pair p = (<5, t), where 8 is a timed sequence over K 
and t G R-° U {oo}, such that t is greater than or equal to the limit of the time components 
in <5, and equal to this limit if 8 is an infinite sequence. We write p.seq and p.ltime for the 
two respective components of p } and denote by tsp(K) the set of timed sequence pairs over 
K. We say that a timed sequence pair p is finite if both p.seq and p.ltime are finite, and 
admissible if p.seq is not Zeno and p.ltime = oo. 

Let p and p' be timed sequence pairs over K with p finite. Then define p ■ p' to be the 
timed sequence pair (p.seq 8 } p.ltime + p' .Itime), where 8 is the modification of p'.seq obtained 



2 This property is called nonZenoness in [2]. 
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by adding p.ltime to all the time components. If p and q are timed sequence pairs over K , 
then p is a prefix of q, denoted hy p < q } if either p = q } ot p is finite and there exists a timed 
sequence pair p' such that p ■ p' = q. Relation < is a partial ordering on the set of timed 
sequence pairs over K. 

We describe how to translate from a sequence over K U R + to a timed sequence pair 
over K and vice versa. First, if f3 is any sequence over K U R + , then we define the time of 
occurrence of any A'-element in f3 to be the sum of all the reals that precede that element 
in f3. We also define p.ltime to be the sum of all the reals in f3. In case f3 is the empty 
sequence, we define p.ltime = 0. Finally, we define t-trace(P) to be the timed sequence pair 
(<5, ft.ltime), where 8 is the subsequence of f3 consisting of all the elements of K , each paired 
with its time of occurrence. 

Conversely, if p is a timed sequence pair over K, then we define trace(p) } a corresponding 
sequence over K U R + . Namely, if p.ltime is finite or p.seq is infinite, then let trace(p) be the 
unique sequence f3 over K U R + such that p = t-trace(P) and such that f3 does not contain 
two consecutive elements of R + . On the other hand, if p.ltime is infinite and p.seq finite, 
then let trace(p) be the unique sequence f3 over K U R + such that p = t-trace(/3) } such that 
P does not contain two consecutive elements of R + prior to the last K element, and such 
that the portion of f3 after the last K element is the default sequence Iff 

Thus by construction: 

Lemma 2.5 For any timed sequence pair p over K , t-trace(trace(p)) = p. 

Let f3 be a sequence over K U R + . Then we say that f3 is admissible if the sum of the 
positive reals in f3 is infinite. 

Lemma 2.6 f3 is admissible if and only if t-trace(/3) is admissible. 

It is not the case that f3 is finite if and only if t-trace(/3) is finite. A counterexample 
is provided by the infinite sequence 1 1 | • • •, of which the associated timed sequence pair 
(A, f ) is finite. (Recall that A is the empty sequence.) 

2.3.2 Timed Traces of Timed Automata 

Suppose that W = w aiWia 2 w 2 • • • is a timed execution fragment of a timed automaton A. 
For each a,-, dehne the time of occurrence t{ to be Yij^Wj.ltime, i.e., the sum of the lengths 
of all the trajectory intervals preceding a 8 - in W. Let 8 = (oq, ti)(a 2 , t 2 ) • • • be the sequence 
consisting of the actions in W paired with their times of occurrence. Then t-trace(W), the 
timed trace of W, is defined to be the pair 3 

t-trace(W) = (8\(vis(A) x R^°), W.ltime). 

Thus, t-trace(W) records the occurrences of visible actions together with their times of 
occurrence, as well as the last time. Note that neither internal actions nor time-passage 
actions appear explicitly in the timed trace of W. 



3 Recall from Part I that the symbol [ denotes the projection of a sequence on a subset of the domain of 
its elements. 
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Lemma 2.7 IfW is a timed execution fragment of A then t-trace(W) is a timed sequence 
pair over vis(A). 

Lemma 2.8 If W = W\ ■ W2 is a timed execution fragment of A then t-trace(W) = 
t -trace (Wi) ■ t-trace(W 2 ). 

A timed trace of A is the timed trace of any finite or admissible timed execution of A. 
Thus, we explicitly exclude the traces of Zeno executions. We write t-traces(A) for the set 
of all timed traces of A, t-traces* (A) for the set of finite timed traces, i.e., those that are 
derived from finite timed executions of A, and t-traces 00 (A) for the admissible timed traces, 
i.e., those that are derived from admissible timed executions of A. The following lemma is 
a direct consequence of the definitions. 

Lemma 2.9 The sets t-traces* (A) and t-traces 00 (A) consist of finite timed sequence pairs 
and admissible timed sequence pairs over vis (A), respectively. 

These notions induce three natural preorders on timed automata. Namely, we define 
A <j B to mean that t-traces(A) C t-traces(B), A <* T B to mean that t-traces* (A) C 
t-traces* (B) , and A ^^j B to mean that t-traces 00 (A) C t-traces 00 (B). The kernels of these 
preorders are denoted by =^, =* T and =1^, respectively. 

2.3.3 Moves 

We include in this section one last definition, which is used in all the simulation definitions 
in Section 5. 

Suppose A is a timed automaton, s' and s are states of A, and p is a timed sequence 
pair over vis (A). Then we say that (s',p,s) is a t-move of A, and write s' ^as } or just 
s' ~&> s when A is clear, if A has a finite timed execution fragment W with W.fstate = 5', 
t-trace{W) = p and W.lstate = s. 

Lemma 2.10 Suppose p, pi and p 2 are timed sequence pairs over vis(A) and p = p\ ■ p 2 - 

1. If s' ^a s" and s" ^a s then s' ^a s . 

2. If s' ^a s then there exists s" such that s' ^a s" and s" ^a s. 

2.4 Relating Timed and Untimed Execution Fragments 

In this subsection, we present some close connections between the timed execution frag- 
ments and the (ordinary) execution fragments of a timed automaton. Roughly speaking, an 
execution fragment can be regarded as "sampling" the state information in a timed execu- 
tion fragment at a countable number of points in time. This close correspondence allows 
techniques for reasoning about ordinary execution fragments to be used for timed execution 
fragments (and vice versa). 
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2.4.1 Execution Fragments of Timed Automata 

Suppose that a is an (ordinary) execution fragment of timed automaton A. We may define 
various timing notions for a simply, as follows. 

t-trace(a) = t-trace(trace(a)) 
a.ltime = trace(a) .Itime 

As in Part I, a is defined to be finite if it is a finite sequence. We define a to be admissible 
if a.ltime = oo, and Zeno if it is neither finite nor admissible. 
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2.4.2 Sampling 

To see the connections between the timing notions defined for (ordinary) executions and the 
corresponding ones for timed executions, we define a notion of "sampling". 

Let a = s aiSi ... be an execution fragment of A and W = w biWi ... be a timed 
execution fragment of A. We define two auxiliary functions: / gives for each index i of a 
the number of discrete actions that precede s 8 -, and g gives for each index i of a the amount 
of time between s 8 - and the last discrete action preceding s 8 -. Formally, for all z, 

f(n\ - n fd-L-w-l f( l "> + l if a ' l+1 discrete > 

/W -U, j^ + ij-j^ otnerwise . 

(c\\ — n C \ — J ^ ^ a ' i+1 discrete, 

' ~ ' 1 #(0 + a " i + 1 otherwise. 

We say that a samples W provided that the following conditions are satisfied, 
f . / is a surjective mapping from indices of a to indices of W . 

2. For all z, s 8 - = wj^(g(i)). 

3. For all i > with a 8 - discrete, a 8 - = bj^ and g(i -w-1) = wj^_iyltime. 

4. a.ltime = W.ltime. 

5. a is finite if and only if W is finite. 

The function / maps each state s 8 - in a to the trajectory of W to which it belongs. The hrst 
condition states that for each trajectory of W there should be at least one state of a that 
belongs to it. The second condition specifies how function g determines the position of s 8 - 
within the associated trajectory. The third condition guarantees that the discrete actions 
match up, and that the amount of idling in between discrete actions is the same for a and W. 
The last two conditions ensure that things match up properly at the end of the executions. 
The definition immediately implies that if a samples W then a is admissible if and only if 
W is admissible, and a is Zeno if and only if W is Zeno. 

The following two lemmas show the close relationship between timed execution fragments 
and ordinary execution fragments. Note that these connections hold for finite, admissible 
and Zeno (timed) executions. The proofs are routine; the proof of Lemma 2.11 uses Lemmas 
2.1 and 2.2. 
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Lemma 2.11 If a is an execution fragment of A then there is a timed execution fragment 
W of A such that a samples W. 

Lemma 2.12 IfW is a timed execution fragment of A then there is an execution fragment 
a of A such that a samples W. 

Finally, we relate the definition of timed traces for execution fragments to the corre- 
sponding definition for timed execution fragments. 

Lemma 2.13 If a samples W then t-trace(a) = t-trace(W). 

3 Restricted Kinds of Timed Automata 

In this section, paralleling our development in Part I, we define certain restricted kinds of 
timed automata that are useful in our proofs. Recall that in Part I, we defined what it meant 
for an untimed automaton to be deterministic, to have finite invisible nondeterminism (fin) 
and to be a forest. Now we define analogous notions of t- deterministic, t-fin and t-forest. 

First, we say that timed automaton A is t- deterministic if | start (A) | = I and for any state 
s' and any finite timed sequence pair p over vis(A), there is at most one state s such that 
s 1 -S^s. It turns out that this notion is equivalent to the original notion of determinism: 

Lemma 3.1 Timed automaton A is t- deterministic if and only if it is deterministic. 



Proof: Recall that the definition of determinism says that |s£ar£(A)| = I and that for any 
state s' and finite sequence f3 of actions in ext(A), there is at most one state s such that 
s' As. 

=>: We suppose that A is t-deterministic and show that it is deterministic. The start 
condition is immediate. Suppose for the sake of contradiction that A is not deterministic; 
then there exist s' , (3, Si and s 2 such that s' A Si, s' A s 2 and si ^ s 2 . This means that 
there are two execution fragments, a\ and a 2} each starting with s' and having trace /3, 
one of which ends in si and the other in s 2 . Then Lemma 2. II implies that there are two 
timed execution fragments, W\ and W 2} that are sampled by a\ and a 2 respectively. By 
Lemma 2.13, W\ and W 2 have the same timed trace, say p. It follows that s' ~&> s\ and 
s 1 ~Z- s 2} which violates t-determinism, yielding the needed contradiction. 

<^=: We suppose that A is deterministic and show that it is t-deterministic. The start 
condition is immediate. Suppose for the sake of contradiction that A is not t-deterministic; 
then there exist s', p } si and s 2 such that s' ^Si, s' ^3- s 2 and si ^ s 2 . This means that 
there are two timed execution fragments, W\ and W 2} each starting with s' and having timed 
trace p } one of which ends in si and the other in s 2 . Then Lemma 2.12 implies that there are 
two execution fragments, a\ and a 2} that sample W\ and W 2 respectively. By Lemma 2.13, 
«i and a 2 have the same timed trace, say p. By applying axiom S2 to split time-passage 
actions, we may assume without loss of generality that a.\ and a 2 have the same trace, say 
f3. It follows that s' A si and s' A s 2 , which violates determinism, yielding the needed 
contradiction. I 

A simple characterization of t-determinism is then obtained from Lemma 3.1 and a 
characterization of determinism in Part I: 
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Lemma 3.2 A timed automaton A is t- deterministic if and only if \start(A)\ = 1, every 
t transition is of the form (s,r, s) for some s, and for any state s' and any action (either 
visible, internal or time-passage) a there is at most one state s such that s' -vl-» s. 

Second, we say that A has t-finite invisible nondeterminism (t-fin) if start(A) is finite, 
and for any state s' and any finite timed sequence pair p over vis(A), there are only finitely 
many states s such that s' -S*^ s- It is not hard to see that the analogous result to Lemma 3.1 
for t-fin fails: 

Example 3.3 Let A be the timed automaton with no visible actions that can do r actions 
at any time and remembers the times at which it has done these internal actions. The states 
of A consist of components now £ R-°, initially 0, and tau-times C R-°, initially empty. The 
allowed steps are: 

• s' — ^ s, where s.now = s' .now and s. tau-times = s' .tau-times U {s' .now}, plus 

• s' — > s, where s.now = s' .now + d and s. tau-times = s' .tau-times. 

Then A has fin but does not have t-fin. 

Third and finally, we say that A is a t-forest if every state s has a unique timed execution 
W that leads to it, i.e., such that W.lstate = s. In the case of timed automata, the original 
definition of a forest is trivial: no timed automaton that contains a time-passage step can 
be a forest. This is because if a state s is reached by an execution that ends with a time- 
passage step, then axiom S2 allows that time-passage step to be split in two, yielding a 
different execution leading to s. We can obtain a characterization of t-forests, analogous to 
the characterization in Part I for forests: 

Lemma 3.4 A timed automaton A is a t-forest if and only if all states of A are reachable, 
start states have no incoming steps, and for every state s, if there are two distinct steps 
leading to s, r -<=P-» s and r' 4=H- s, then a and a 1 are distinct time-passage actions, and either 
r ^^> r' or r' %=f% r (depending on whether a > a 1 or a 1 > a). 

Proof: =>: All states in a t-forest are reachable by Lemma 2.3. It is also easy to see that start 
states have no incoming steps. So suppose that r^5 and r' •$$-+ s, with (r } a) ^ (r' } a'). 
Let W and W be the unique timed executions leading to r and r', respectively. 

We extend W to timed execution W\ by adding the information contained in the step 
r <^-> s. Specifically, if a is a discrete action, we append a and a trivial trajectory with the 
single state s to W . On the other hand, if a £ R + , we use axiom S2 to obtain a trajectory 
w for the step r^5 and combine w with the final trajectory of W; Lemma 2.1 implies 
that the combination of the two trajectories is itself a trajectory. Likewise, we extend W to 
timed execution W[ by adding the information contained in the step r' 4=H- s. 

Since A is a t-forest and W\ and W[ both lead to s, it must be that W\ = W[. But since 
(r } a) ^ (r' } a') } the only way this can happen is if a and a 1 are both time-passage actions 
and a ^ a 1 . In this case, the final trajectory w of W\ = W[ ends with a trajectory of the step 
r <^-> 5, and also ends with a trajectory of the step r' 4^-» s. In particular, if w.ltime = t, 
then wit <^a') = r' and wit <^>a) = r. 
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(t-a)-(t-a') 

If a < a', then t <^a' < t <^>a, so the dehnition of a trajectory implies that r' -\=M- r, 
i.e., r' %=f% r. Symmetrically, if a' < a, we have r ^^> r' . Either situation suffices. 

<^=: Because all states of A are reachable, we know by Lemma 2.3 that for each state s 
there is at least one timed execution that leads to it. We show uniqueness. For any timed 
execution W, define n{W) to be the sum of the number of nontrivial trajectories and the 
number of actions occurring in W . It suffices to prove the following claim for all k £ N: 

If W and W are two timed executions with n{W) + n{W') < k, and if W and 
W lead to the same state s, then W = W . 

We prove this claim by induction on k. 

Basis: k = 0. 
Then each of W and W consists of a trivial trajectory with the single state s, so W = W . 

Inductive step: k > 0. 
If W consists of a single trivial trajectory, then s must be a start state. The fact that W 
leads to s implies that the start state s has an incoming step, which is a contradiction. A 
similar contradiction is reached if W consists of a single trivial trajectory. Thus, neither W 
nor W consists of a single trivial trajectory. 

If the last trajectory w of W is trivial, define a to be the last discrete action in W, and r 
the last state of the preceding trajectory. Thus, we have r •£?►->■ s. Since each state can have 
at most one incoming discrete step, the last trajectory of W must also be trivial, a must be 
the last discrete action in W, and r the last state of the preceding trajectory of W . If W\ 
and W[ are the timed executions obtained from W and W, respectively, by omitting the 
aw fragment at the end, the induction hypothesis gives W\ = W[. This implies W = W. 

A similar proof can be given for case in which the last trajectory of W is trivial. Thus 
we may assume that neither W nor W end with a trivial trajectory. 

Define r = w(0) and a = w.ltime; the dehnition of a trajectory implies r <^-> s. Likewise, 
define r', a! and w' for W. 

If a = a', then it is easy to prove that w = w' . In this case, let W\ and W[ be the results 
of removing the last trajectory w from W and W, respectively, replacing it with the trivial 
trajectory with state r. Application of the induction hypothesis gives W\ = W{ } and this 
implies W = W. 

Assume without loss of generality that a 1 > a. Since r <^-> s and r' 4=H- s, we have by 
assumption r' <l=f^ r. That is, both timed executions end with nontrivial trajectories, and W 
ends with the shorter one. 

We claim that w(aOt) = w'(a' Ot) for all t £ [0, a]. For if not, then there are two distinct 
time-passage steps leading to s with the same amount of time-passage, namely, w(aOt) <^=M- s 
and w'(a' -^t) ^4-^- s. In particular, r = w(0) = w'(a' <^a). 

Now let W\ be the result of removing the last trajectory w from W } replacing it with 
the trivial trajectory with state r. Also, let W[ be the result of reducing the last trajectory 
w' of W by removing the portion with domain (a 1 <^>a, a 1 ]. Then W\ and W[ are two timed 
executions, each of which leads to r, and such that n(W\) + n(W[) is strictly less than 
n{W) + niW'). By induction hypothesis, W\ = W[. Since the removed portions of W and 
W are identical, this implies that W = W . I 
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We define the relation t-after(A) to consist of those pairs (p } s) for which there is a finite 
timed execution of A with timed trace p and last state s. 

t-after(A) = {(p,s) \ 3W G t-execs*(A) : t-trace(W) = p and W.lstate = s}. 

The relation t-past(A) = t-after(A) relates a state s of A to the timed traces of timed 
executions that lead to s. 

Lemma 3.5 

1. If A is t- deterministic then t-after(A) is a function from t-traces* (A) to states (A). 

2. If A has t-fin then t-after(A) is image-finite. 

3. If A is a t-forest then t-past(A) is a function from states (A) to t-traces* (A) . 

Proof: Parts 1 and 2 are straightforward from the definitions. 

For 3, suppose that A is a t-forest. Because all states of A are reachable we know that for 
each state s of A, t-past(A)(s) contains at least one element. But this element is uniquely 
determined by the unique timed execution that leads to s. I 



4 Timed Trace Properties 

Continuing the analogy with Part I, we define "timed trace properties", the structures that 
we consider as external behaviors for timed automata. We also prove some basic properties of 
timed trace properties and some lemmas relating timed trace properties to timed automata. 

A set of timed sequence pairs is prefix-closed if, whenever a timed sequence pair is in 
the set all its prefixes (as defined in Section 2.3.1) are also. A timed trace property P is 
a pair (K } L) where K is a set and L is a nonempty, prefix-closed set of finite and admis- 
sible timed sequence pairs over K. We will refer to the constituents of P as sort(P) and 
t-traces(P), respectively. Also, we write t-traces* (P) for the set of finite timed sequence pairs 
in t-traces(P), and t-traces 00 (P) for the set of admissible timed sequence pairs in t-traces(P). 
For P and Q timed trace properties, we define P <* T Q = t-traces* (P) C t-traces*(Q) } 
P <^ T Q = t-traces°°(P) C t-traces 00 (Q) , and P < l T Q = t-traces(P) C t-traces(Q). The 
kernels of these preorders are denoted by =* T , ^^t an d =t> respectively 

A timed trace property P is limit-closed if each infinite chain pi < p 2 < P3 < • • • of 
elements of t-traces* (P) in which time grows unboundedly has a limit in t-traces 00 (P) , i.e., 
an admissible timed sequence pair p such that for all z, pi < p. 

Lemma 4.1 Suppose P and Q are timed trace properties with Q limit-closed. Then P <* T Q 
& P < l T Q. 

A timed trace property P is feasible if every element of t-traces* (P) is a prefix of some 
element of t-traces 00 { P) . 



Lemma 4.2 Suppose P and Q are timed trace properties such that P is feasible. Then 
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The timed behavior of a timed automaton A, t-beh(A), is defined by 
t-beh(A) = (vis(A),t-traces(A)). 

Lemma 4.3 

1. t-beh(A) is a timed trace property. 

2. If A has t-fin then t-beh(A) is limit-closed. 

3. If A is feasible then t-beh(A) is feasible. 

4. A< l T B <& t-beh(A) <^ t-beh(B), 

A <* T B <& t-beh(A) <* T t-beh(B), and 
A ^^t B & t-beh(A) ^ t-beh(B). 

Proof: Part f follows directly from Lemma 2.9. Parts 3 and 4 are immediate from the 
definitions. 

We sketch the proof of 2; it is analogous to that of Lemma 2.5 of Part I. Suppose A has 
t-fin and pi < p 2 < . . . is an infinite chain of timed sequence pairs in t-traces* (A) such that 
the limits of the time components of the p^s is oo. Assume without loss of generality that 
Pi < Pi+i } for all i > f . Let p be the limit of the p^s. We must show that p £ t-traces 00 (A). 

We use Lemma A.f of Part I. This time, G is constructed as follows. The nodes are pairs 
(pi } s), where pi is one of the timed sequence pairs in the sequence above, and s is a state of 
A, such that (p,s) £ t-after(A). There is an edge from node (p 8 ,s') to node (p 8+ i,s) exactly 
if s' ^a ■§, where pi + i = pi ■ q. Using Lemma 2.10, it is not difficult to show that G satisfies 
the hypotheses of Lemma A.l of Part I. Then that lemma implies the existence of an infinite 
path in G starting at a root; given this path, it is easy to construct an admissible timed 
execution of A having p as its timed trace. I 

Proposition 4.4 

1. If B has t-fin then A <* T B ^ A< l T B. 

2. If A is feasible then A <^ T 5»A<^5. 

Proof: Part 1 follows from Lemmas 4.1 and 4.3. Part 2 is a corollary of Lemmas 4.2 and 
4.3. ■ 

Example 4.5 We present two timed automata, B\ and B2, which are in a sense the timed 
analogues of the automata A\ and A^ of Example 2.1 of Part I. The example illustrates the 
necessity of the t-fin condition in Proposition 4.4(1). Timed automaton B\ performs an a- 
action at each integer time. Each state of B\ has components now £ R-° and count £ N, both 
initially 0. B\ has a single visible action a, and steps 

• s' — > s, where s.now = s' .now + d < s' .count and s. count = s' .count; 



j a 



s, where s.now = s' .now = s' .count and s. count = s' .count + 1. 
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Timed automaton B 2 performs an a-action at each of finitely many integer times. Each state 
of B 2 has components now £ R-°, initially 0, count £ N, initially 0, and total £ N, initially 
arbitrary. B\ has a single visible action a and steps 

• s' — > s, where s.now = s' .now + d < s' .count, s. count = s' .count, and s. total = s' .total; 

• s' — % s, where s.now = s' .now = s' .count < s' .total, s. count = s'.comm^ + I, and s. total = 

Then it is easy to see that Bi has t-fin (in fact, it is t-deterministic). However, B 2 does not 
have t-fin: for instance, it has infinitely many start states. Also, in each finite timed trace of 
B 2 , a occurs at every nonnegative integer time up to (and possibly including) the last time 
total, while in the unique admissible timed trace of B\, a occurs at all nonnegative integer 
times. Then B 2 has the same finite timed traces as B\ but no admissible timed traces. It 
follows that 5i <l T B 2 but B x £ T B 2 . 

Note that it is possible to modify B 2 so that it is feasible, yet still demonstrates the same point. 
Simply allow time to pass in B 2 after the last permitted a output. 

Example 4.6 In order to see that the feasibility condition in Proposition 4.4(2) is needed, 
we consider a timed automaton Z with states drawn from the interval [0, 1), start state 0, no 
visible actions, and steps of the form t' -^-^ t whenever t' < t. Since Z has no admissible timed 
traces, it is trivially the case that Z ^^x B\. However, because B\ does not allow initial 
time-passage steps, Z -^ B\. 

Again paralleling Part I, we close this section with the construction of the canonical timed 
automaton for a given timed trace property. For P a timed trace property, the associated 
canonical timed automaton t-can(P) is the structure A given by: 

• states(A) = t-traces*(P) } 

• start(A) = {(A,0)}, 

• acts(A) = sort(P) U {r} U R+, and 

• for p',p£ states(A) and a £ acts(A) } 

P ^^A P "w* « / t A p' ■ t-trace(a) = p. 

It is not hard to check that t-can(P) is in fact a timed automaton. 

Lemma 4.7 Suppose P is a timed trace property. Then 

1. t-can(P) is t-deterministic and is a t-forest. 

2. t-beh(t-can(P)) =* T P. 

3. P <Jp t-beh(t-can(P)). 

4- If P is limit-closed then t-beh(t-can(P)) =j P. 
5. If P is feasible then t-can(P) is feasible. 
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Proof: Part 1 follows easily using Lemmas 3.2 and 3.4. Part 2 follow from the definitions. 
Since t-can(P) is t-deterministic it has t-hn, so it follows by Lemma 4.3 that t-beh(t-can(P)) 
is limit-closed. Now 3 and 4 follow by combination of 2 and Lemma 4.f . Part 5 is straight- 
forward from the definitions. I 

Lemma 4.8 

1. t-can(t-beh(A)) is t-deterministic and is a t-forest. 

2. t-can(t-beh(A)) =* T A. 

3. A <Jp t-can(t-beh(A)). 

J f . If A has t-fin then t-can(t-beh(A)) = l T A. 

5. If A is feasible then t-can(t-beh(A)) is feasible. 

Proof: By combining Lemmas 4.3 and 4.7. I 

5 Simulations for Timed Automata 

So far, we have presented the timed automaton model and its basic properties. In this 
section, we define simulation proof methods for timed automata. The properties of these 
relations are shown in the following two sections. In the definitions below, we require that an 
a step is simulated by a move t-trace(d). This means that a r step is simulated by the timed 
sequence pair (A,0), a visible action a is simulated by the timed sequence pair ((a,0),0), 
and a time-passage step d is simulated by the timed sequence pair (A, d). 

Suppose A and B are timed automata. 

A timed refinement from A to B is a function r : states(A) — > states(B) that satisfies: 

1. If s G start(A) then r(s) G start(B). 

2. If s 1 <^a s then r(V) -£># r ( 5 ) 5 where p = t-trace(d). 

A timed forward simulation from A to B is a relation / over states(A) and states(B) that 
satisfies: 

1. If s G start(A) then f[s] n start(B) ^ 0. 

2. If s' <^a s and u' G f[s'], then there exists a state u G f[s\ such that u' ^b u } where 
p = t-trace(d). 

A timed backward simulation from A to B is a total 4 relation b over states(A) and 
states (B) that satisfies: 

1. If s G start(A) then b[s] C start(B). 



*For the definitions of "total", N(), P(), () 1 , etc., we refer the reader to Appendix A of Part I. 
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2. If s' <^a s and u G b[s], then there exists a state u' G b[s'] such that u' ^b u } where 
p = t-trace(a). 

A timed forward-backward simulation from A to i? is a relation g over states (A) and 
N (states (B)) that satisfies: 

1. If s G start(A) then there exists S G g[s] such that S C start (B). 

2. If s'<^>a s and S" G <?[s'], then there exists a set S G g[s] such that for every u G S* 
there exists u' G S 7 with u' ^b u } where p = t-trace(a). 

A timed backward-forward simulation from A to i? is a total relation g over states(A) and 
P (states (B)) that satisfies: 

1. If s G start (A) then for all S G g[s], S n start (B) ^ 0. 

2. If s'<^>a s and £ G ^[.s], then there exists a set S 1 ' G g[s'] such that for every u' G S 1 ' 
there exists u G S* with u' ^>b u, where p = t-trace(a). 

For each of the above simulations, we will refer to the first condition in the definition as 
the start condition, and to the second condition as the transfer condition. 

A relation h over states(A) and states (B) is a timed history relation from A to B if it 
is a timed forward simulation from A to B and h~ x is a timed refinement from B to A. A 
relation p over states (A) and states (B) is a timed prophecy relation from A to i? if it is a 
timed backward simulation from A to B and p _1 is a timed refinement from B to A. 

Analogously to Part I, we write A <^ B } A <p i?, etc., to indicate that there is a timed 
refinement, timed forward simulation, etc., from A to B. 

Without working out the details, we note here that, analogously to the untimed case, 
there is a full correspondence between timed history/prophecy relations and the obvious 
notions of timed history/prophecy variables. 

We close this section with a technical lemma. The transfer condition of each simula- 
tion definition is stated for individual steps of A. It is straightforward to deduce a similar 
condition for moves rather than steps. 

Lemma 5.1 Suppose that A and B are timed automata and s' ^a s- 

1. If r is a timed refinement from A to B then r(s') ^b r(s). 

2. If f is a timed forward simulation from A to B and v! G f[s'], then there exists a state 
u G f[s] such that v! ^b u. 

3. If b is a timed backward simulation from A to B and u G b[s], then there exists a state 
u' G b\s'\ such that v! ^b u. 

4- If g is a timed forward-backward simulation from A to B and S' G g\s'\, then there 
exists a set S G g[s] such that for every u G S there exists v! G S' with v! ^b u. 
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5. If g is a timed backward-forward simulation from A to B and S £ g[s\, then there exists 
a set S' £ g\s'\ such that for every v! £ S' there exists u £ S with v! ^b u- 

Proof: Let W be a timed execution fragment from A such that s' = W. f state ^ s = W.lstate, 
and p = t-trace(W). All parts are proved by induction on k = n(W), where, as in the proof 
of Lemma 3.4, n{W) is the sum of the number of nontrivial trajectories and the number of 
discrete actions occurring in W . As an example, we prove the result for timed refinements; 
the other cases are similar. 

Basis: k = 0. 
Then s' = s, W consists of the trivial trajectory containing the single state s, and p = (A, 0). 
Since r(s) -^» b r ( s ), we have r(s') ^b r(s). 

Basis: k = 1. 
This case follows easily from the transfer condition in the definition of a timed refinement. 

Inductive step: k > 1. 
Then W can be written as W\ ■ VK2, where n(W\) = k <^1 and n(W2) = 1. Let s" denote 
W\.lstate (= W2-f state). Let pi = t-trace(W\) and p 2 = t-traceiyV^)- Then s' ^a s" and 
s" JQ A s. By inductive hypothesis, r(V) ^b r(s") and r(s") ^b r(s). By Lemma 2.8, p = 
Pi ' P2- Then Lemma 2.10(1) implies that r(s') ^b r(s). I 



6 Timed Results from Untimed Results 

In this and the next section we give soundness and completeness results for the various 
simulations defined in Section 5, as well as implication results among them. The distinction 
between the results in this section and those in Section 7 is that the ones given here are all 
derived from corresponding results for the untimed case. The statements of the results in 
Section 7 are also analogous to results of Part I, but these timed results are not derived from 
the untimed results, for instance because they require the construction of an intermediate 
timed automaton. 

Most of the results in this section are presented in the form of a diagram, Figure 1. 
This is the same diagram that appears in Part I for the untimed setting, except for the t 
superscripts. 

The machinery needed to prove the results in this section is developed in Section 6.1. In 
particular, we define an untimed automaton called the closure automaton, c/(A), for every 
timed automaton A. We then show close correspondences between A and c/(A), involving 
both external behavior notions and simulation relations. These correspondences allow us to 
derive the results in Section 6.2 from the corresponding results for untimed automata. 

6.1 The Closure Automaton 

In this section, we define the closure of a timed automaton, the basic technical device that we 
will used to derive results about timed automata from corresponding results about untimed 
automata. Section 6.1.1 contains the definition, Section 6.1.2 gives the relationships between 
timed traces of a timed automaton and traces of its closure, and Section 6.1.3 gives the 
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relationships between timed simulations between timed automata and simulations between 
their closures. 

6.1.1 Definition 

The closure of a timed automaton A, denoted by c/(A), is the automaton B given by 

• states(B) = states(A) } 

• start (B) = start (A), 

• acts(B) = acts(A), and 

• steps(B) consists of steps(A) together with all steps s' -\=M-_b ■§, such that s' -^» a s. 

Thus, the closure construction augments A by adding new time-passage steps to short-circuit 
the effects of any number of r and time-passage actions of A. 

Proposition 6.1 cl(A) is a timed automaton. 

6.1.2 Relating Timed and Untimed Traces 

In this section, we describe some close connections between A and cl(A). We begin with a 
preliminary lemma showing the relationship between moves of A and of cl(A). 

Lemma 6.2 Suppose s' and s are states of A. 

1. If fi is a finite sequence of actions in ext(A) then 

I A -f J 1 -f I * -traced 3 ) 

s =^cl(A) s l J an a only if s ^ j±s. 

2. If p is a finite timed sequence pair over vis(A) then 

I trace [p) .„ 1 i • c I V 

s => ci(A)S if and only if s -^ A s. 



Proof: Part I is straightforward. Part 2 follows from part I and Lemma 2.5. 
From this we can prove: 

Lemma 6.3 

1. If fi is a finite sequence of actions in ext(A) then 

f3 G traces* : (c/( A)) if and only if t-trace(/3) G t-traces* (A) . 

2. If p is a finite timed sequence pair over vis(A) then 

trace(p) G traces* (c/( A)) if and only if p G t-traces* (A) . 
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Proof: We show Part 1. Suppose that f3 is a finite sequence of actions in ext(A), and let 
p = t-trace(/3). 

=>: Suppose that f3 £ traces* (cl (A)). Then there exist s' £ start(cl(A)) and s £ 
states(cl(A)) such that s' =^ c i(A) s - Then Lemma 6.2 implies that s'-S^s. This implies 
that p £ t-traces* (A) . 

<=: Suppose that p £ t-traces* (A) . Then there exist s' £ start(A) and s £ states(A) such 
that s' -£>^ s. Then Lemma 6.2 implies that s' =^> c i(A)S- This implies that f3 £ ^races*(c/(A)). 

Part 2 follows from part f and Lemma 2.5. I 

A similar result holds for admissible sequences: 
Lemma 6.4 

1. If fi is an admissible sequence of actions in ext(A) then 

f3 £ traces U} (cl(A)) if and only if t-trace(/3) £ t-traces°°(A). 

2. If p is an admissible timed sequence pair over vis (A) then 

trace(p) £ traces U} (cl(A)) if and only if p £ t-traces°°(A). 

We now show that t-determinism of A corresponds to determinism of c/(A), and likewise 
for t-hn and fin. 

Lemma 6.5 

1. A is t- deterministic if and only if cl(A) is deterministic. 

2. A has t-fin if and only if cl(A) has fin. 

Proof: We hrst prove part 1: 

=^>: Suppose A is t-deterministic. Then, by Lemma 3.2, all r steps of A are of the form 
s<4-^s. But this means that cl(A) and A are identical. And thus both A and cl(A) are 
deterministic by Lemma 3.f. 

<=: Suppose cl(A) is deterministic. Then all r steps of cl(A) are of the form s4^ s. But 
since cl(A) is obtained from A by adding time-passage steps only, also all r steps of A are of 
the form s<4-^- s. This again implies that cl(A) and A are identical. And thus both A and 
cl(A) are t-deterministic by Lemma 3.f. 

Next we prove part 2: 

=^>: Suppose A has t-hn. Then start(A) is hnite and hence start(cl(A)) is finite. Suppose 
s' is a state of cl(A) and f3 is a hnite sequence over ext(cl(A)). We show that the set 
S = {s | s' =^ci(A) s } is hnite. Suppose s £ S. Then Lemma 6.2 implies that s £ U, where 



U = {u | s' ^ a^}. Thus S C. U. Since A has t-hn, U is hnite. Thus S is hnite, as 
required. 

<=: Suppose that cl(A) has fin. Then start(cl(A)) is hnite and hence start(A) is hnite. 
Suppose s' is a state of A and p is a hnite timed sequence pair over vis(A). We show that 
the set S = {s \ s' ~^a-s} is hnite. Suppose s £ S. Then Lemma 6.2 implies that s £ U, 
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where U = {u \ s' =>■ c i(A) u }- Since cl(A) has fin, U is finite. Thus S is finite, as required. 
■ 

Now we relate finite timed trace inclusion for timed automata to ordinary finite trace 
inclusion for their closure automata. 

Lemma 6.6 A <* T B & cl(A) <* T cl(B). 

Proof: 

=>: Suppose that f3 £ traces* (cl (A)). Then Lemma 6.3 implies that p £ t-traces* (A) , 
where p = t-trace(fi). The hypothesis then implies that also p £ t-traces* (B) . Again by 
Lemma 6.3, we have f3 £ traces* (cl(B)) . 

<=: Suppose that p £ t-traces* (A). Then Lemma 6.3 implies that f3 £ traces* (cl (A)) , 
where f3 = trace(p). The hypothesis then implies that also f3 £ traces* (cl(B)). Again by 
Lemma 6.3, we have p £ t-traces* (B) . I 

We can also obtain a one-way relationship between general timed trace inclusion for timed 
automaton and general trace inclusion for their closure automata. 

Lemma 6.7 If cl(A) < T cl(B) then A <^ B. 

Proof: Suppose cl(A) <j cl(B). Then certainly cl(A) <*t c ^(B) } so by Lemma 6.6, 
A <* T B. It remains to show that A ^^t B. For this, suppose that p £ t-traces 00 (A). 
Then Lemma 6.4 implies that f3 £ traces" (cl (A)) , where f3 = trace(p). The hypothesis then 
implies that f3 £ traces" (cl(B)) . Again by Lemma 6.4, we have p £ t-traces 00 (B) . I 

Example 6.8 The converse of Lemma 6.7 does not hold in general. For a counterexample, let 
B be a timed automaton that nondeterministically chooses a positive natural number n, then 
performs action a at times 1 — 2 _1 , 1 — 2 -2 ,..., 1 — 2 _n , and then idles forever, allowing time 
to pass. Since each finite timed execution can be extended to an admissible one, B is feasible; 
since it has infinitely many start states B has infinite invisible nondeterminism. Let A be the 
same as B, except that it may also choose u> at the beginning, in which case it subsequently 
performs action a at times 1 — 2 _1 , 1 — 2 -2 ,..., 1 — 2 _n ,... Timed automaton A is not feasible 
because by choosing u> it reaches a state from which only a Zeno execution, and no admissible 
execution, is possible. Timed automata A and B have the same timed traces, but cl(A) also 
has an infinite trace (a, 1 — 2 _1 ), (a, 1 — 2 -2 ),..., (a, 1 — 2 _n ),... which cl(B) does not have. 

It turns out that the converse of Lemma 6.7 does hold if B has t-fin. 

Lemma 6.9 Suppose B has t-fin. Then cl(A) <t cl(B) <£> A <^ B . 

Proof: cl(A) <j cl(B) <^> (by Lemma 6.5, and Proposition 2.6 of Part I) 

cl(A) <* T cl(B) <=» (by Lemma 6.6) 

A <* T B <£> (by Proposition 4.4) 

-t 

-T 



A<%B 



Finally, we obtain a corollary that relates timed trace inclusions for timed automata to 
simulations for their closures. 
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Corollary 6.10 The following statements are equivalent. 

1. A <* T B. 

2. cl(A) < FB cl(B). 

3. cl(A) <bf cl(B). 

If B has t-fin then also the following statements are equivalent to each other and to the three 
statements above. 

1. A< l T B. 

2. cl(A) < iFB cl(B). 

Proof: A <* T B <£> (by Lemma 6.6) 

cl(A) <* T cl(B) <£> (by Theorems 4.5 and 4.6 of Part I) 
cl(A) <fb cl(B) <& (by Proposition 4.10 of Part I) 
cl(A) <bf cl{B) 
If B has t-hn then 

A <* T B =^> (by Lemma 6.6) 

cl(A) <*t cl(B) =^> (by Lemma 6.5, and Theorem 4.6 of Part I) 

cl{A) < iFB cl(B) =>■ (by Theorem 4.5 of Part I) 

cl(A) < T cl(B) => (by Lemma 6.7) 

AK'jB => A<l T B 



Corollary 6.10 already provides one method for proving that the finite timed traces of 
a timed automaton A are included among those of another timed automaton B: produce 
an ordinary forward-backward or a backward-forward simulation from cl(A) to cl(B). Of 
course, any simpler type of simulation from Part I, such as a forward or backward simulation, 
will do as well. Similarly, Corollary 6.10 provides a method for proving that all the timed 
traces of A are included among those of B } in case B has t-hn. 

This approach is analogous to that followed for Milner's CCS [49] where the problem of 
establishing a weak bisimulation is reduced to the problem of finding a strong bisimulation. 
Another example of this approach appears in [38], where the problem of showing inclusion of 
timed behaviors of certain kinds of timed automata is reduced to that of proving inclusion 
between sets of admissible behaviors of certain derived I/O automata. 

However, this is not the approach we emphasize in this paper. Instead, we will use 
the closure automata as a technical device to help us prove soundness, completeness and 
implication results for the new timed simulations defined in Section 5. For this, we proceed 
in the next subsection to relate timed simulations to corresponding untimed simulations for 
closure automata. 
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6.1.3 Relating Timed and Untimed Simulations 

In Section 6.1.2, we showed that (under certain hniteness conditions) inclusion ol timed 
traces lor timed automata is equivalent to inclusion ol ordinary traces lor the closures ol these 
automata. Now we demonstrate strong relationships between between timed simulations lor 
timed automata, and ordinary simulations lor the closures ol these automata. 

Lemma 6.11 A relation from states(A) to states (B) is a timed refinement from A to B if 
and only if it is a refinement from cl(A) to cl(B). Moreover, the same correspondence 
also holds for forward simulations, backward simulations, forward-backward simulations, 
backward-forward simulations, history relations and prophecy relations. 

Proof: We prove the prove the result lor rehnements. 

=>: Suppose that r is a timed refinement Irom A to B. We show that r is a refinement Irom 
cl(A) to cl(B). The start condition carries over immediately; we consider the step condition. 
Suppose that s' <^- a c i(A) s - Then s' => c i(A) s an d so Lemma 6.2 implies that s' ^a-s } where 
p = t-trace(a). Since r is a timed rehnement, Lemma 5.1 implies that r(V) ^r(s). Then 
Lemma 6.2 implies that r(V) =>■ c i(B) r ( s )- But case analysis based on whether a is a 
visible, internal or time-passage action shows that trace(p) = a, so this is as needed. 

<=: Suppose that r is a rehnement Irom cl(A) to cl(B). We show that r is a timed 
rehnement Irom A to B. The start condition carries over immediately; we consider the step 
condition. Suppose that s' <^a s. Then s' <^^ a c i(A) 5 ? by definition ol cl(A). Since r is 
a rehnement, we have that r(s') =^ c ^B^r(s). Then Lemma 6.2 implies that r(V) ^rfs), 
where p = t-trace(a) } as needed. 

The prools lor forward, backward, forward-backward and backward-forward simulations 
are entirely analogous, using the appropriate parts ol Lemma 5.1. The results lor history 
and prophecy relations follow Irom those lor forward simulations, backward simulations and 
rehnements. I 

Therefore, we have: 



Corollary 6.12 Suppose X represents any of {R, F, B,iB ,FB ,iFB ,BF,iBF, H, P,iP} . 
Then A <* x B if and only if cl(A) < x cl(B). 

Proposition 6.13 The relations <^ ; <p ; <g ; <\ B , <p B; <*fb; — bf; — H; — p an< ^ — *p are 
all preorders. (However, <; BF is not a preorder.) 

Proof: This follows Irom Corollary 6.12, since the corresponding untimed simulations are 
preorders. The same counterexample that we used to show that <ibf is not a preorder (the 
automata An and A i2 ol Example 4.11 in Part I), can be used to show that <; BF is not a 
preorder. One can turn the automata Irom this counterexample into feasible timed automata 
via the patient construction ol [41]. This construction introduces arbitrary time delays at 
each state by simply attaching, lor each d, steps s 4#-» s to each state s. I 
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6.2 Soundness and Implication Results for Timed Automaton Sim- 
ulation Relations 

In this section, we give those results about timed automata that follow from corresponding 
results about untimed automata, using the results in the previous two sections. We present 
most of these results in a single theorem, which is entirely analogous to a classification given 
in Section 7 of Part I. 

Theorem 6.14 Suppose M,N G {T,*T,R,F,(i)B,(i)FB,(i)BF,H,(i)P}, where the (i) 
indicates that i is optional. 

1. If there is a path from <^ to <^ in Figure 1 consisting of thin arrows only, and if 
A < l M B, then A <^ B. 

2. If there is a path from <j^ to <^ consisting of thin and/or thick arrows, if A <j^ B 
and if B has t-fin, then A <^ B. 


















■ <* ■ 

— iBF 



<! 



FB ' 






^B 



— BF 



— FB 



^T ►- _ 



*T 



Figure 1: Classihcation of basic relations between timed automata 

Proof: Note that Figure I is identical to Figure 6 of Part I, which gives an overview of the 
relationships in the untimed case, except for the superscripts t. It is enough to prove: 

1. If there is a thin arrow from <^ to <^ and if A <^ B } then A <^ B. 

2. If there is a thick arrow from <j^ to <^, if A <j^ B and if B has t-fin, then A <^ B. 
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For part 1, suppose that there is a thin arrow from <^ to <^ and that A <^ B. If {M, N} D 
{T, *T} = 0, then Corollary 6.12 implies that cl(A) <m cl(B). Then the corresponding 
result for the untimed case implies that cl(A) <n cl(B), which implies by Corollary 6.12 
that A <^ B } as needed. There are four remaining thin arrows to consider. 

1. M = iFB and N = T. Corollary 6.12 implies that cl(A) <ifb cl(B). The untimed result 
implies that cl(A) <j cl(B), which implies by Lemma 6.7 that A <j B. 

2. M = T and N = *T. This is immediate from the dehnitions. 

3. M = *T and N = FB. Corollary 6.10 implies that cl(A) <fb c ^(B) } which implies by 
Corollary 6.12 that A < FB B. 

4. M = FB and N = *T. Corollary 6.12 implies that cl(A) <fb c ^(B) } which implies by 
Corollary 6.10 that A <* T B. 

For part 2, suppose that there is a thick arrow from <j^ to <^, that A <j^ B and that B 
has t-hn. There are only two thick arrows to consider: 

1. M = *T and N = T. This follows from Proposition 4.4. 

2. M = T and N = iFB. Corollary 6.10 implies that cl(A) <ifb c ^(B) } which implies by 
Corollary 6.12 that A <* FB B. 

■ 

In order to show that all the inclusions are strict, one can use essentially the same coun- 
terexamples as in the untimed setting. Again one can turn these untimed counterexamples 
into feasible timed automata via the patient construction of [41], i.e., by introducing arbitrary 
time delays at each state by attaching, for each d, steps s4f^ s to each state s. 

We close this section with three more results that are derived from the analogous results 
for the untimed case using the correspondences. 

Theorem 6.15 (Partial completeness of timed forward simulations) 
Suppose B is t- deterministic and A <* T B. Then A < F B . 

Proof: By Lemma 6.5(1), cl(B) is deterministic, and by Lemma 6.6, cl(A) <*t cl(B). 
Thus by the partial completeness result for forward simulations (Theorem 3.11, Part I), 
cl(A) <f cl(B). Then Corollary 6.12 allows us to conclude that A <p B } as required. I 

Proposition 6.16 Suppose all states of A are reachable, B is t- deterministic and A < B B. 
Then A< R B. 

Proof: Lemma 6.2 implies that all states of cl(A) are reachable, Lemma 6.5 implies that 
cl(B) is deterministic, and Corollary 6.12 implies that cl(A) < B cl(B). By Proposition 3.19 
of Part I, the untimed version of the fact we are proving, cl(A) <r cl(B). Then Corollary 6.12 
allows us to conclude that A < B B } as required. I 



Proposition 6.17 Suppose all states of A are reachable, B has t-fin and A < B B. Then 
t 

iB 



A <* B. 



Proof: Similar to the proof of Proposition 6.16. 
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7 Remaining Results for Timed Automata 

In Section 6, we showed how some simple correspondences enable most of the results for 
untimed automata to be extended to timed automata. In this section, we consider what 
happens to all the other results of Part I. We begin with the results about untimed au- 
tomata that do not extend in this way but are nonetheless true. In Section 7.1 we present 
partial completeness results that involve t-forests. These do not carry over using the corre- 
spondences because the closure of a t-forest need not be a forest: in a t-forest (and hence 
also in its closure) a state may have multiple incoming time-passage steps, something which 
is not allowed in a forest. In Sections 7.2 and 7.3, we present results that assert the exis- 
tence of timed automata with particular properties, including the completeness results for 
the combination of timed forward and timed backward simulations and the Abadi-Lamport 
completeness result. We prove all of these results directly for timed automata. In most 
cases, the proof is analogous to the corresponding proof in Part I. Finally, in Section 7.4, 
we demonstrate that the one remaining result of Part I, Proposition 3.12, is not true in the 
timed setting. 

7.1 Partial Completeness Results for t-Forests 

Theorem 7.1 (Partial completeness of timed refinements) Suppose A is a t-forest, B is 
t- deterministic and A <* T B . Then A <\\ B . 

Proof: Analogous to the proof of Theorem 3.5 in Part I. Define r = t-after(B) o t-past(A). 
Lemma 3.5 and the fact that t-traces* (A) C t-traces* (B) together imply that r is a function 
from states(A) to states(B). We claim that r is a timed refinement from A to B. 

The start condition is straightforward. 

For the transfer condition, suppose that s' <^a s. Let p = t-trace(a); then s' ^a s- We 
must show that r(V) -£># r(s). Since A is a forest, there exist timed traces q' and q leading 
to s' and s respectively. Lemma 2.10 implies that q' ■ p leads from a start state of A to s. 
Since A is a forest and q and q' ■ p both lead to s, it must be that q' ■ p = q. 

By definition of r, we have we have u ^b r(s) for some start state u of B. Then 
Lemma 2.10 implies that there is a state u of B such that u &>b u an d u ^b r(s). Since 
q' leads from a start state of A to s', the definition of r then implies that u = r(s'). Thus, 
r(V) ^b r ( s )i as needed. I 



Theorem 7.2 (Partial completeness of timed backward simulations) Suppose A is a t-forest 
and A <* T B . Then 

1. A <X\ B, and 

2. if B has t-fin then A <\ B B. 

Proof: Analogous to the proof of Theorem 3.18 in Part I. We define a relation b over 
states (A) and states(B). For a given state s of A, Lemma 3.5 implies that there is a unique 
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timed trace leading to s, say p. Define 

b[s] = {u | 3W G t-execs*(B) : t-trace(W) = p } W.lstate = u, and 

WW G t-execs*(B) : [W -< W -> *-*race(W) 7^ p]}. 

Lemma 3.5 and the fact that t-traces* (A) C t-traces* (B) implies that relation b is total. The 
start condition follows as in the proof of Theorem 3.18 in Part I. 

For the transfer condition, suppose that s' <^a ■§, u G b[s], and p = t-trace(a); then 
s' ^-a-S- We dehne u' G b[s'] such that u' ^j«. As in the proof of Proposition 7.1, we 
obtain timed traces 5' and 5 leading to s' and 5 respectively, and conclude that q' ■ p = q. 
Since u G b[s], we have u ^b u for some start state u of B. Then Lemma 2.10 implies that 
there is a state u' of B such that u ^b u' and u' ^b u- Moreover, it is possible to select u' 
in a 'minimal' way so that there is an execution from u to u' with timed trace q' that does 
not end with a r step. Since q' leads from a start state of A to 5', the definition of b implies 
that u' G b[s']. This suffices. 

Lemma 3.5 implies that if B has t-hn then relation b is image-finite. I 



7.2 Combined Timed Forward and Backward Simulations 

In this subsection, we give the completeness results for the combination of timed forward 
and timed backward simulations. In order to prove these results, we use variants of the 
classic subset construction from automata theory, and a variant of the dual historization 
construction of Klarlund and Schneider [29]. 

The backward power of a timed automaton A, notation b-power(A) } is the automaton B 
defined by 

• states (B) = N (states ( A)) , 

• start(B) = N(start(A)), 

• acts(B) = acts(A), and 

• for S',S G states(B) and a G acts(B), 



The finitary backward power of A, notation fin-b-power(A) } is defined in exactly the same 
way, except that instead of all non-empty subsets of states(A) and start(A) only the finite 
non-empty subsets are used. The forward power or historization of A, notation f-power(A) } 
is the automaton F defined by 



• 



• 



states (F) = P(states(A)), 

start(F) = {S C states(A) | S n start(A) ^ 0}, 
• acts(F) = acts (A), and 



31 



• for S',S G states(F) and a G acts(F), 

S' ^ F S <* Vs' G 5" 3s G S : s' ^^ A s . 

Lemma 7.3 Suppose B = b-power(A), I = fin-b-power(A) and F = f-power(A) . Then B , 
I and F are timed automata and 

1. A<^_B and B <b A, 

2. A <r / and I <\ B A, 

3. A<X\F and F <p A. 

Proof: First we show that B satisfies axioms SI and S2. For SI, suppose that S' O-^b S" 
and S"^ B S. Then 

Vs" G 5"' 3s' G S' : s' { ^ A s", and 

w r- Q Zl " r- OH I' (^'^ ) 

Vs G o ds Go : 5 ^ ^ s. 



It follows, using Lemma 2.10, that 

w s- a -\ I s- at I (^,d+d ) 

Vs G o ds G o : s ^ ^ s, 
i.e., that S' <&^b S, as needed for SI. 



For S2, suppose that S" <^=M-_b S. Dehne w : [0, d] — > states (B) as follows: let w{0) = 5", 
w(d) = S, and for any t, < t < d } let wit) = {u G states (A) | 3s' G S' : s' ^>^u}. 
Suppose < ti < t 2 < d; we must show that w(ti) Q-tfe w(t 2 ). There are three nontrivial 



cases: 



1. = ti < t 2 < d. 

We must show that S' <^b w(t 2 ), that is, that 

\/u G w(t 2 ) 3s' G iS" : s' ^U a u- 

But this is immediate from the definition of w(t 2 ). 

2. < h < t 2 = d. 

We must show that w(ti) -\=M-£ S, that is, that 

Vs G S 3u G tf(ti) : u '~> ^5. 

So suppose that s G iS\ Since S 7 -\=M-_b S, there exists a state s' G S' such that s' -^» ^ s. 
Then Lemma 2.10 implies that there exists u such that s' ^U ^ u and u '~» ^ s. This 
u satishes all our requirements. 

3. < h < t 2 < d. 

The argument to similar to that for case 2. 
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The mapping that relates to each state s of A the state {s} of B is a timed refinement from 
A to B; hence A < B B. The mapping that relates each state S of B to all its elements is a 
timed backward simulation from B to A; hence B < B A. 

The proofs for I and F are similar to those for B } except for the proof that I satisfies 
axiom S2. Suppose that S'o-*iS. Then there exists, for each s £ S, a finite timed 
execution fragment W s of A with W s .f state £ S 7 , t-trace(W s ) = (A, J) and W s .lstate = s. 
Define u; : [0, J] — > states (I) as follows: let w{0) = S', w(d) = S, and for any t, < t < d } 
let wit) be the hnite set which, for each s £ S, contains the last state of the shortest prehx 
of W s with limit time t. Then it is routine to prove that w is a trajectory for S' -\=M-/ S. I 

Theorem 7.4 

1. A< FB B <& (3C : A < F C < B 5). 

2. A <} FB B <* (3C : A <} F C <*b 5). 

3. A< BF B & (3C : A < B C < F B). 

4- A <J BF B^(BC:A <* B C < F B). 

Proof: The proof of the implications "<^=" is easy We sketch the proof of "=^" in 3 and 4. 
The proofs of "=^" in f and 2 are similar. 

Let g be a timed backward-forward simulation from A to B } which is image hnite if 
A <*bf B. Let C = f-power(B). Then it is straightforward to check that g is also a timed 
backward simulation from A to C (and is image-finite if A <; BF B). Moreover, Lemma 7.3 
gives C < F B. M 

It is interesting to note the difference between the above proof of Theorem 7.4 and the 
corresponding proofs of Theorems 4.1 and 4.8 in Part I. In those proofs the intermediate 
automata are "smaller" than the power constructions that we use here, since as states they 
only contain those sets of states of B that are in the range of g. It is not possible to use 
the constructions from Part I here because in general the resulting automata do not satisfy 
the trajectory axiom S2. However, we could have used the power constructions in Part I as 
well. In fact, one can even argue that in some sense this would have been less ad-hoc. 

Theorem 7.5 (Completeness of timed forward and timed backward simulations) Suppose 
A <* T B. Then 

1. 3C : A< F C < B B, 

2. if B has t-fin then 3C : A < F C <J B B, and 

3. 3C :A< B C < F B. 

Proof: Immediate from Theorems 6.14 and 7.4. 

Parts I and 2 can alternatively be shown using a proof analogous to that of Theorem 3.22 
of Part I. Let C = t-can(t-beh(A)). By Lemma 4.8, C is a t-deterministic t-forest and A =* T 
C. Since C is t-deterministic, A < F C by partial completeness of timed forward simulations 
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(Theorem 6.15), and because C is a t-forest, C < B B follows by partial completeness of 
timed backward simulations (Theorem 7.2(1)). Similarly, if B has t-hn then C <; B B follows 
by Theorem 7.2(2). I 

7.3 Timed History and Prophecy Relations 

In this subsection, we present additional results about the timed auxiliary variable construc- 
tions. 

7.3.1 Timed History Relations 

We begin with a timed analogue to the unfolding construction of Part I. 

The timed unfolding of A, notation t-unfold(A) , is the timed automaton B defined by 

• states (B) = t-execs*(A), 

• start(B) = [0,0] -> start(A), 

• acts(B) = acts(A), and 

• for W, W G states (B), d G R + and a G acts(B) <£>R+, 

W'^ B W & 3w:W'-w = WAw.ltime = d 
W'^bW <* W'aw' = W, 

where w' is the trivial trajectory that maps to W.lstate. 

We leave it to the reader to verify that t-unfold(A) is a timed automaton. 

Proposition 7.6 t-unfold(A) is a t-forest and A < B t-unfold(A) . 

Proof: Using Lemma 3.4 it follows easily that t-unfold(A) is a t-forest. The function 
Jstate, which maps each finite timed execution of A to its last state, is a timed refinement 
from t-unfold(A) to A, and the relation Jstate~ is a timed forward simulation from A to 
t-unfold(A). Thus, Jstate~ is a timed history relation from A to t-unfold(A). I 

We are now in a position to prove a timed version of Sistla's [57] completeness result. 

Theorem 7.7 (Completeness of timed history relations and timed backward simulations) 
Suppose A <* T B. Then 

1. 3C : A <k C < B B, and 

2. if B has t-fin then 3C : A <^ C <\ B B. 

Proof: Analogous to the proof of Theorem 5.6 in Part I; choose C = t-unfold(A). I 

We next define a notion of timed superposition, analogous to the notion of superposition in 
Part I. Suppose R is a relation over states (A) and states (B) with Rf) (start (A) X start(B)) ^ 
0. The timed superposition t-sup(A, B } R) of B onto A via R is the timed automaton C given 
by 
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• states (C) = R, 

• start(C) = R n (start (A) X start (B)), 

• acts(C) = acts(A) D acts(B), and 

• for (s',u'),(s,u) G states(C) and a G acts(C), 

(V, u') <^c (■§, u) -<=> s' -£>^ sAti' -£>b u, where p = t-trace(a). 

Again we leave it to the reader to check that t-sup(A, B } R) is a timed automaton. 

Theorem 7.8 A < F B & (3C : A <^ C <^ B). 

Proof: Suppose A < F B. Let / be a timed forward simulation from A to B, let C = 
t-sup(A, B,f) and let tti and 7r 2 be the projection functions that map states of C to their 
hrst and second components, respectively. Then it is easy to check that 7rf/ is a timed 
history relation from A to C and 7r 2 is a timed refinement from C to B. 

The reverse implication also follows via a standard argument. I 

7.3.2 Timed Prophecy Relations 

Finally, we describe the additional results about timed prophecy relations. We give a timed 
analogue to the guess construction of Part I. This can be regarded as a dual to the timed 
unfolding construction of the previous subsection. 

The timed guess of A, notation t-guess(A) , is the timed automaton B defined by 

• states (B) = t-frag*(A), 

• start(B) = t-execs*(A) } 

• acts(B) = acts(A), and 

• for W, W G states (B), d G R + and a G acts(B) <£>R+, 

W'^ B W & 3w:W' = w-WAw.ltime = d 
W'^bW <* W' = w'aW, 

where w' is the trivial trajectory that maps to W ./state. 

As before, we leave it to the reader to verify that t-guess(A) is a timed automaton. 

Proposition 7.9 A < P t-guess(A). 

Proof: Similar to the proof of Proposition 7.6. I 

Theorem 7.10 

1. A< l B B & (3C : A < P C <k B). 
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2. A <J B B ^ (3C :A <J P C < l R B). 

Proof: Similar to the proof of Theorem 7.8, using timed backward simulations instead of 
timed forward simulations. I 

We finish this subsection with a dual version of Sistla's completeness result [57] and 
variants of the completeness results of Abadi and Lamport [1]. 



Theorem 7.11 (Completeness of timed prophecy relations and timed forward simulations) 
A<l T B => 3C : A< P C< F 5. 



Proof: Analogous to the proof of Theorem 5.17 in Part I. I 

Theorem 7.12 (Completeness of timed history /prophecy relations and refinements) Sup- 
pose A <* T B . Then 

1. 3C } D : A<^ C< p D <k#. 

2. If B has t-fin then 3C,D : A<^C <J P D <X\ B. 

3. 3C } D : A< P C <h; D ^B. 

Proof: Analogous to the proofs of Theorems 5.18 and 5.19 in Part I. I 

7.4 A Result That Does Not Carry Over 

Proposition 3.12 of Part I does not carry over to our timed setting, i.e., there exist timed 
automata A and B such that A is a t-forest and A < F B but not A <\\ B. 

Example 7.13 Timed automaton A may perform a single visible action a at any rational 
time, and then stops. Timed automaton B may only perform a single action a at integer 
times. However, whereas A measures time with a 'perfect clock', B measures time with a clock 
that may run either too slow or too fast, in an arbitrary fashion. The set of states of A is 
R-° x {T, F}, with (0,T) the initial state, and there are steps 

• (t,J)-^(t + d,J), for each t £ R^° and rfe R+; 

• (t, T) -^ (t, F), for each t e Q^°. 

The set of states of B is also R-° x {T, F}, with (0, T) the initial state. The steps of B are 

• (t,J)-^(t',J),ioT all t,t' £ R^° with t<t' and all de R+; 

• (t,T)-%(t,F), for each t E N. 

Using Lemma 3.4 it is easy to see that A is a t-forest. Also, it is easy to check that the relation 
/ given by 

/ = {((t,b),(t',b')) \t eR^°, t' £N and b=b'} 

is a timed forward simulation from A to B . However, there does not exist a timed refinement 
from A to B. The proof is by contradiction. Suppose that r is a timed refinement. Then, by 
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the start condition of a timed refinement, r maps the start state (0, T) of A to the start state 
(0,T) of B. The state (1,T) of A has an outgoing a step, so it must be mapped to a state 
of B which has also an outgoing a step, i.e., a state (A,T) for some n £ N. Since A has a 
step (0, T) — t (1, T), but B does not have a step (0, T) — > (0, T), it follows using the transfer 
condition of a timed refinement that n > 0. Let, for < i < 2n, s; be the image under r 
of state (-^-, T) of A. By definition of A and by the transfer condition of a timed refinement, 
S{ -^— ► Sj'+i, for all i < In. Further all S{ must be of the form (m 8 ,T), for some m; £ N. By 
definition of B, this means that = mo < rni < «^2 < • • • < rri2n-i < rri2n = n. This is a 
contradiction, as there are only n — 1 naturals strictly in between and n, and not 2n — 1. 

An interesting question (wide open to us) is to come up with some plausible additional 
axioms for timed automata, such that in the resulting setting all the results on simulations 
that we proved in Part I of this paper do carry over. 



8 Including Invariants 

We show how to introduce invariants into the timed simulations, just as we introduced them 
into the untimed simulations in Section 6 of Part I. An invariant of a timed automaton A 
is defined to be superset of the set of reachable states of A, i.e., a property that is true of 
all the reachable states of A. Let A and B be timed automata with invariants I a and 7g, 
respectively. 

A weak timed refinement from A to 7?, with respect to I a and 7g, is a function r : 
states (A) — > states(B) that satisfies: 

f . If s G start(A) then r(s) G start (B). 

2. If s'^^a ■§, s',s G Iai and r(V) G /b, then r(V) ^rfs), where p = t-trace(a). 

A weak timed forward simulation from A to B } with respect to I a and Jg, is a relation / 
over states(A) and states(B) that satisfies: 

1. If s G start(A) then f[s] n start(B) ^ 0. 

2. If s' <^>a 5, s',s G /a, and u' G f[s'] D Ib } then there exists a state u G f[s] such that 
u' ^b u } where p = t-trace(a). 

A weak timed backward simulation from A to i?, with respect to I a and Jg, is a relation 
6 over states (A) and states (B) that satisfies: 

1. If s G start(A) then 6[s] n J B C start (B). 

2. If s'<^>a s, 5', 5 G Iai and u G b[s] D Ib } then there exists a state u' G b[s'] D Is such 
that u' ^b u } where p = t-trace(a). 

3. If s G I A then 6[s] n I B + 0. 

A tueaA; timed forward-backward simulation from A to i?, with respect to 7^ and 7^, is a 
relation g over s^es(A) and P (states (B)) that satisfies: 
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1. If s £ start(A) then there exists S G g[s] such that S D Ib C start(B). 

2. If s' <^>a 5, s', 5 G I a and S 7 G g[s'], then there exists a set S G g[s] such that for every 
u G S fl 7g there exists u' £ S 7 fl 7g such that u' ^b u } where p = t-trace(a). 

3. If s £ I A and £ £ flr[s] then S I B ^ 0. 

A tueaA; timed backward-forward simulation from A to 7?, with respect to I a and 7g, is a 
relation g over states(A) and P (states (B)) that satisfies: 

1. If s £ start(A) then, for all £ £ g[s], S n start(B) ^ 0. 

2. If s' <^>a 5, s', 5 £ I a and £ £ g[s], then there exists a set S' £ g[s'] such that for every 
u' £ S 7 fl 7^ there exists a u £ 5* fl 7g such that u' ^b u } where p = t-trace(a). 

3. If s £ I A then g[s] ^ 0. 

A relation h over s£a£es(A) and states (B) is a tueaA; timed history relation from A to 7?, 
with respect to I a and 7g, provided that /j is a weak timed forward simulation from A to 7?, 
with respect to 7^ and 7g, and h~ x is a weak timed refinement from B to A, with respect to 
7^ and I a- 

A relation p over states(A) and states (B) is a tueaA; timed prophecy relation from A to 7?, 
with respect to I a and 7g, provided that p is a weak timed backward simulation from A to 
7?, with respect to I a and 7#, and p~ x is a weak timed refinement from B to A, with respect 
to Ib and I a- 

We write A <U B, A <l F B, A <* wB B, A <U B, A <U B, A <^ iFB 5, A <^ BF 5, 
A <wiBF B } A <wH -^5 A — wP -^ and A <„iP B to denote the existence of a weak refinement, 
weak forward simulation, weak backward simulation, weak image-finite backward simulation, 
etc., from A to 7?, with respect to some invariants I a and 7g. 

Proposition 8.1 The relations <l R , <^ F; <^ B; <^ iB; <^ FB; <^ iFB; <^ BF; <^ H; <^ P and 
— wiP are a M preorders. (However, <„iBF is not a preorder.) 

Theorem 8.2 (Soundness of weak simulations) 



1. If A <U B, A <\ F B, A <U B, A <^ iFB B, A <Uf B, A <^ H B, or A <^ iP B, 
then A <^ B. 

2. If A <l B B, A <\ FB B, A <\ BF B, or A <\ F B, then A <l T B. 



9 Discussion 

In this paper, we have presented an automata-theoretic model for timing-based systems, and 
have used it to develop a variety of simulation proof techniques for such systems. These in- 
clude timed refinements, timed forward and backward simulations and combinations thereof, 
and timed history and prophecy relations. These techniques are analogous to those described 
in Part I, [44], for untimed systems. As in that paper, we present basic results for all of the 
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simulations, including soundness and completeness results. The development is organized so 
that the proofs are based on the results of Part I. In fact, we have shown that all the results 
of Part I carry over to Part II, except for Proposition 3.12. 

The definitions of timed automata and their simulations involve many choices, such as 
the choice of the basic axioms for time-passage steps, whether non-time-passage steps have 
nonzero duration or are instantaneous, whether instantaneous time-passage steps are allowed, 
whether or not automata are required to have finitely many (or countably many) states, 
whether time-passage should be represented absolutely or incrementally, what the notion of 
external behavior should be, whether the simulations should require state reachability, etc. 
Most choices either lead to longer proofs (see for instance an earlier version of this paper 
[43] in which time-passage was represented absolutely) or do not yield all the properties in 
this paper. 

Our notion of timed automaton is related to the models of Merritt, Modugno and Tuttle 
[48] and of Lynch and Attiya [38]. However, these models have more structure than ours, 
since they assume that the system being modelled is describable in terms of a collection of 
separate tasks, each with associated upper and lower bounds on its speed. Also, the model 
of [48] includes treatment of liveness, whereas our model does not. The absence of liveness 
considerations makes our model simpler; moreover, we do not lose much power because many 
properties of practical interest for timing-based systems can be expressed as safety properties, 
given the admissibility assumption that time increases without bound (cf. [24]). Lynch and 
Attiya [38] also extend simulation techniques to timing-based systems. That work, however, 
only considers forward simulations. The extra task structure of the model of Lynch and 
Attiya supports the development of a useful progress measure proof method, which we do 
not develop here. On the other hand, the basic theorems about forward simulations that 
appear in [38] are stated in a setting that has more structure than is really necessary for 
those theorems. 

Lynch and Vaandrager [41] show how a whole class of process algebraic operators can be 
defined on timed automata using the general notion of action transducers. Bosscher, Polak 
and Vaandrager [12] define a language of linear hybrid systems, inspired by the work of 
[5, 8], and provide it with a semantics in terms of timed automata. Our timed automata can 
also be used to define the semantics of the timed safety automata of Alur and Dill [7, 26]. 
In the latter model a finite state restriction is used in order to enable the use of effective 
model-checking methods, something which is of course not possible in our much more general 
model. 

By using our timed automata model as a common semantic basis for several other mod- 
els for timing-based systems, we get into a situation where we can easily use a variety of 
formal proof methods, including assertional methods, algebraic methods, and finite-state 
state exploration ("model-checking") methods. These methods are usable individually or in 
combination. It remains to further develop the various proof methods for timed automata. 
In particular, we are interested in extending the methods of process algebra to our timed 
automaton model. Our paper [41] contains the beginning of such work, including defini- 
tions of interesting operators on timed automata, and proofs of substitutivity results for the 
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timed trace semantics, but it remains to provide useful algebraic laws for reasoning about 
the operators. 

Our timed simulations have already been used extensively elsewhere [12, 23, 32, 34, 
35, 36, 37, 38, 45, 58, 60] for verification of timed algorithms and systems. More work 
is needed in applying timed simulations to additional practical verification examples. In 
particular, nearly all of the examples that have been carried out so far involve refinements, 
forward simulations and history variables. Only [58, 32] involve backward simulations and 
combinations of forward and backward simulations. 

Finally, although the timed automaton model presented here is very general, it has be- 
come clear that there are at least three ways in which it can be extended: to include treatment 
of liveness properties, to include probabilistic transitions, and to include treatment of hybrid 
systems, including continuously-communicating components. Some work on integrating live- 
ness into the present model appears in [16], and work on integrating probabilistic transitions 
appears in [39, 3, 56]. Both liveness and probabilities introduce their own sets of additional 
proof methods, e.g., temporal logic and Markov analysis. In [12], it has been shown how 
linear hybrid systems can be defined in terms of our timed automata. It remains to develop 
the treatment of general hybrid systems, and to integrate all three extensions, with their 
proof tools, into a sensibly coordinated whole. 
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A Other Axioms for Timed Automata 

We consider the relationship between axioms S2 and S2', as defined in Section 2.1. The rela- 
tionship between the two axioms is also investigated in [28]. Define a semi-timed automaton 
to be a timed automaton, except that it does not have to satisfy S2, but only the weaker 
(and simpler) axiom S2'. It is immediate from the definition of a trajectory that each timed 
automaton is semi-timed. In this appendix, we consider the reverse implication. 

A.l Time Determinism 

In the original paper [61] of Wang in which the axiom S2' is proposed, also the axiom of 
time determinacy is introduced. In our setting this axiom can be formulated as follows: 

TD IfstU s' and s ^ s", then s' = s". 

Axiom TD says that time is deterministic in the sense that, after a certain amount of time 
has elapsed since the system arrived in some state, the new state is uniquely determined 
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provided no internal or visible action has taken place. We say that a semi-timed automaton 
is time deterministic if it satisfies axiom TD. The following theorem is easy to prove. 

Theorem A.l Each time deterministic semi-timed automaton is a timed automaton. 

Thus, Wang's axiom S2' is equivalent to the trajectory axiom S2 in a context where the 
time determinacy axiom TD is assumed. In our timed automaton model we do not require 
the axiom TD: we find it unnatural to allow for nondeterminism for discrete actions but 
not for time-passage actions. As pointed out in [12], time nondeterministic timed automata 
arise naturally in the semantics of linear hybrid systems, for instance in the modelling of 
drifting clocks. Also, several of the constructions in this paper, like the f-power } b-power and 
superposition construction, introduce time nondeterminism. 

A. 2 Countable Time Domains 

One way to obtain equivalence between timed and semi-timed automata is to change the 
underlying time domain. In this paper, we have chosen elements of the set R-° of nonnegative 
real numbers as time-passage actions for timed automata. Instead, we could have proved 
all our results for automata parametrized with an arbitrary time domain as in [27, 53, 28]. 
A time domain T> = (T, +, 0) consists of a set T of points in time, equipped with a binary 
operator + and constant such that, for all t } u } v £ T, 

Tl t + = + t = t 

T2 t + (u + v) = (t + u) + v 

T3 t -\- u = t -\- v => u = v 

T4 t + u = => t = u = 

T5u<tAv<t => u<v\/v<u 

where < is the precedence relation < on T defined by t < u <^> 3u : t + v = u. Axioms Tl 
and T2 say that T> is a monoid. Axiom T3 states that T> is left-cancellative } axiom T4 that 
T> is anti-symmetric, and axiom T5 that T> is locally linear. It follows from axioms T1-T4 
that < is a partial ordering with a unique minimal element 0. Axiom T3 allows us to define 
the substraction operator that is required for the trajectory axiom: if u < t then t -^u is 
defined to be the unique v with u + v = t. Axiom T5 implies that < is total on each interval. 
This last axiom does not occur in [27, 53, 28], but we fail to have a clear intuition about 
trajectories without it. Examples of time domains are the nonnegative reals, rationals and 
integers with addition and 0, but also the sets of finite sequences with concatenation and 
the empty sequence. 

Theorem A. 2 Suppose A is a semi-timed automaton over a countable time domain. Then 
A is a timed automaton. 
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Proof: Suppose that s'^M-a s. We construct a trajectory w from s' to s. As required, 
w{0) = s' and w(d) = s. Let ti , t 2 , ... be some arbitrary enumeration of all the times in 
the interval (0, d). We define w on elements of this sequence, in order. Let I n be the set 
{0, 7, ti, . . . , t n }. We will inductively construct w so that after w has been defined on I n} 
we will have that w(t') 4^> w(t) for all t',t £ 7 n , t' < t. This is enough to show that w is a 
trajectory from s' to s. 

So suppose that, for some n > 0, w has been defined on I n , and that w(t') 4^> «;(t) for 
all t',t £ 7 n , t' < t. Let u' be the largest time in I n that is smaller than t n+ i } and let u be 
the smallest time in I n that is larger than t n+1 . By the hypothesis about 7 n , we have that 
w(u')¥=f¥ w(u). Since u' < t„ +1 < u, axiom S2' implies that there exists a state s such that 

v H n+1 -u v > u-l n+1 "T 1 ' l 

w[u) <^-> s and s <^-> u;(u). Define w(t n+ i) = s. 

We claim that with this definition of w(t n+ i), we have w(t') 4^> w(t) for all t',t £ 7 n+ i, 
t' < t. Since we already know this for t',t £ 7 n , it is enough to consider the case where one 
of t',t is equal to t n+ \. We give the argument for t = t n+ \\ the argument for t' = t n+ \ is 
analogous. ^ , 

° . t n+1 -u' 

So suppose t = t n+ i. lit' = v! then we already have the needed claim, w(u') <^=M- w(t n+ i). 
The other possibility is that t' < u' . But then the claim for 7 n _implies that w(t')%f$ w(u'). 
Since also w(u') <^=M- w(t n+ i) } axiom SI implies that wit') <^=M- w(t n+ i) } as needed. I 

The above proof relies heavily on the assumption that the time domain is countable: 
since the interval [t' } t] is countable we can construct a trajectory from s' to s in an inductive 
fashion, state by state. Such a construction is no longer possible if the time domain is 
uncountable, as in the case of R-°. 

A. 3 A Counterexample 

At the time we first defined axiom S2, we constructed a complex counterexample to show 
that it was stronger than S2'. The simpler counterexample described below was subsequently 
discovered by Steve Schneider. 

Theorem A. 3 Let automaton D be defined by 

• states(D) = R^° x Q^° ; 

• start(D) = {(0,0)}, 

• acts(D) = {r} U R + ; and 

• steps(D) is specified by (t', q') -^d (t,q) <£> d £ R+ A t' + d = t A q' < q. 
Then D is semi-timed, but not timed. 

Proof: One can easily check that D is semi-timed. However, it is not timed: D does not 
satisfy the trajectory axiom S2 because that would imply, for instance, that the interval 
[0, f] of reals can be injectively mapped into the rationals. I 

In the context of the present paper, there is no compelling technical reason why one should 
use S2 instead of S2'. In fact, in an earlier version of this paper ([42]) we have developed a 

42 



theory of simulations for semi-timed automata. However, we find the theory for semi-timed 
automata less natural. For instance, the semi-timed automaton D of Theorem A. 3 is a t- 
forest according to the definitions of [42], which is strange since an execution that ends in 
(1,1) may pass through state (|, §) or through state (|, §), but not through both. Also, 
the appealing local characterisation of t-forests of Lemma 3.4 does not hold for t-forests as 
defined in [42]. Trajectories play a vital role in the theory of hybrid systems [21]. Since we 
would like to view our timed automata as an underlying semantic domain for both timed 
and hybrid systems, this provides additional motivation for our choice for the axiom S2. 
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B Glossary of Conventions 



a 


Actions 


b 


Backward simulations 


c 


Choice functions 


d 


Positive real numbers 


f 


Forward simulations 


9 


Forward-backward and backward-forward simulations 


h 


History relations 


i 


Indices 


k 


Symbols 


n 


Natural numbers 


P 


Timed sequence pairs and prophecy relations 


r 


Refinements 


s 


States 


t 


Real numbers plus infinity 


u 


States 


w 


Trajectories 


A } B 


Timed automata 


G 


Digraphs 


I 


Internals (and also invariants) 


K 


Sets of symbols 


L 


Sets of sequences 


M } N 


Types of timed simulation mappings 


P,Q 


Timed trace properties 


R 


Relations 


s,u 


Sets of states 


w 


Timed execution fragments 


X,Y,Z 


Sets 


a 


Execution fragments 


P 


Sequences of external actions (traces) 


7 


Sequences of actions 


6 


Timed sequence 


X 


The empty sequence 


7T 


Projections 


<7,P 


Sequences 


T 


The internal action 
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